diff --git a/.gitignore b/.gitignore
index b6b0f366..514d1d25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ website/vendor
 !command/test-fixtures/**/.terraform/
 .terraform.lock.hcl
 provider.tf
+.worktrees/
diff --git a/cloudstack/resource_cloudstack_egress_firewall.go b/cloudstack/resource_cloudstack_egress_firewall.go
index e2a83e4c..8ae2937d 100644
--- a/cloudstack/resource_cloudstack_egress_firewall.go
+++ b/cloudstack/resource_cloudstack_egress_firewall.go
@@ -534,7 +534,7 @@ func deleteEgressFirewallRules(d *schema.ResourceData, meta interface{}, rules *
 	return errs.ErrorOrNil()
 }
 
-func deleteEgressFirewallRule(d *schema.ResourceData, meta interface{}, rule map[string]interface{}) error {
+func deleteEgressFirewallRule(_ *schema.ResourceData, meta interface{}, rule map[string]interface{}) error {
 	cs := meta.(*cloudstack.CloudStackClient)
 	uuids := rule["uuids"].(map[string]interface{})
 
@@ -581,7 +581,13 @@ func verifyEgressFirewallParams(d *schema.ResourceData) error {
 	return nil
 }
 
-func verifyEgressFirewallRuleParams(d *schema.ResourceData, rule map[string]interface{}) error {
+func verifyEgressFirewallRuleParams(_ *schema.ResourceData, rule map[string]interface{}) error {
+	if cidrList, ok := rule["cidr_list"].(*schema.Set); ok {
+		if cidrList.Contains("0.0.0.0/0") {
+			return fmt.Errorf("CIDR 0.0.0.0/0 is not allowed in egress firewall rules. cidr_list must be within the network subnet")
+		}
+	}
+
 	protocol := rule["protocol"].(string)
 	if strings.ToLower(protocol) != "all" && protocol != "tcp" && protocol != "udp" && protocol != "icmp" {
 		return fmt.Errorf(
diff --git a/cloudstack/resource_cloudstack_egress_firewall_test.go b/cloudstack/resource_cloudstack_egress_firewall_test.go
index 28b664f7..7e968ef9 100644
--- a/cloudstack/resource_cloudstack_egress_firewall_test.go
+++ b/cloudstack/resource_cloudstack_egress_firewall_test.go
@@ -25,10 +25,44 @@ import (
 	"testing"
 
 	"github.com/apache/cloudstack-go/v2/cloudstack"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 )
 
+func TestVerifyEgressFirewallRuleParams_disallowAnyIP(t *testing.T) {
+	cidrSet := schema.NewSet(schema.HashString, []interface{}{"0.0.0.0/0"})
+	rule := map[string]interface{}{
+		"cidr_list": cidrSet,
+		"protocol":  "tcp",
+		"ports":     schema.NewSet(schema.HashString, []interface{}{"80"}),
+		"uuids":     map[string]interface{}{},
+	}
+
+	err := verifyEgressFirewallRuleParams(nil, rule)
+	if err == nil {
+		t.Fatal("expected error for cidr 0.0.0.0/0, got nil")
+	}
+	if !strings.Contains(err.Error(), "0.0.0.0/0") {
+		t.Fatalf("expected error message to mention 0.0.0.0/0, got: %s", err.Error())
+	}
+}
+
+func TestVerifyEgressFirewallRuleParams_allowValidCIDR(t *testing.T) {
+	cidrSet := schema.NewSet(schema.HashString, []interface{}{"10.1.1.0/24"})
+	rule := map[string]interface{}{
+		"cidr_list": cidrSet,
+		"protocol":  "tcp",
+		"ports":     schema.NewSet(schema.HashString, []interface{}{"80"}),
+		"uuids":     map[string]interface{}{},
+	}
+
+	err := verifyEgressFirewallRuleParams(nil, rule)
+	if err != nil {
+		t.Fatalf("expected no error for valid cidr, got: %s", err.Error())
+	}
+}
+
 func TestAccCloudStackEgressFirewall_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },