diff --git a/system/ufw.py b/system/ufw.py
index cd148edf2ef..89376e7c22e 100644
--- a/system/ufw.py
+++ b/system/ufw.py
@@ -142,7 +142,9 @@ ufw: rule=reject port=auth log=yes
 # for details. Typical usage is:
 ufw: rule=limit port=ssh proto=tcp
 
-# Allow OpenSSH
+# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
+# a rule=allow task can leave those ports exposed. Either use delete=yes
+# or a separate state=reset task)
 ufw: rule=allow name=OpenSSH
 
 # Delete OpenSSH rule