Add support to block using ipsets or interface

Hi there,
based on /etc/univention/templates/files/etc/security/packetfilter.d/10_univention-firewall_start.sh
when system boot, univention-firewall will iptables --wait -F all rule and add print('iptables --wait -A INPUT -p "%(protocol)s" %(addr_args)s --dport %(port)s -j %(action)s' % {

so in case I have more than one interface, 1 for private (want to open as default) and one is public interface and I want disable port 22/SSH on this interface.
if I add rule to file 50_local.sh it’ll not work due to port 22 already opened at 10_univention-firewall_start.sh.

So my question is there anyway to block port 22 on public interface?