diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 1838114aa..27ee027db 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -91,10 +91,20 @@ gui_wan: True
 adm_cons_force_ssl: False
 adm_cons_allow_downloads: False
 
-# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
-# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
-# within github.com/iiab/iiab/blob/master/roles/
-services_externally_visible: True
+# Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
+# (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
+# Only 1 of the 6 lines below should be uncommented:
+#
+#ports_externally_visible: 0    # none
+#ports_externally_visible: 1    # ssh only
+#ports_externally_visible: 2    # ssh + Admin Console
+ports_externally_visible: 3     # ssh + Admin Console + common IIAB services
+#ports_externally_visible: 4    # ssh + Admin Console + common IIAB services + Samba
+#ports_externally_visible: 5    # all but databases
+#
+# Or further customize your iptables firewall by editing:
+# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
+# And then run: cd /opt/iiab/iiab; ./iiab-network
 
 # Gateway and Filters
 # Most all implementations use "iiab_gateway_enabled: False" within