diff --git a/api/v2/types_firewall.go b/api/v2/types_firewall.go
index 34b18e8..c870811 100644
--- a/api/v2/types_firewall.go
+++ b/api/v2/types_firewall.go
@@ -62,6 +62,9 @@ type FirewallSpec struct {
 	// Userdata contains the userdata used for the creation of the firewall.
 	// It gets defaulted to a userdata matching for the firewall-controller with connection to Gardener shoot and seed.
 	Userdata string `json:"userdata,omitempty"`
+	// UserdataContents contains the unprocessed userdata as separate files.
+	// This is meant as an alternative to `Userdata`.
+	UserdataContents []UserdataContent `json:"userdataContents,omitempty"`
 	// SSHPublicKeys are public keys which are added to the firewall's authorized keys file on creation.
 	// It gets defaulted to the public key of ssh secret as provided by the controller flags.
 	SSHPublicKeys []string `json:"sshPublicKeys,omitempty"`
@@ -74,6 +77,9 @@ type FirewallSpec struct {
 	// EgressRules contains egress rules configured for this firewall.
 	EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
 
+	// InitialRuleSet is the initial firewall ruleset applied before the firewall-controller starts running.
+	InitialRuleSet *InitialRuleSet `json:"initialRuleSet,omitempty"`
+
 	// Interval on which rule reconciliation by the firewall-controller should happen.
 	Interval string `json:"interval,omitempty"`
 	// DryRun if set to true, firewall rules are not applied. For devel-purposes only.
@@ -113,6 +119,42 @@ type AllowedNetworks struct {
 	Egress []string `json:"egress,omitempty"`
 }
 
+// UserdataContent represents a file at a specific path with either direct content or content sourced from a secret or configmap.
+type UserdataContent struct {
+	// Path is the file path where the content should be placed.
+	Path string `json:"path"`
+	// Content is the direct content of the file.
+	Content string `json:"content,omitempty"`
+	// ContentFrom represents the source from which to obtain the content of the file.
+	ContentFrom UserdataContentFrom `json:"contentFrom,omitzero"`
+}
+
+// UserdataContentFrom represents the source from which to obtain the content of a userdata file.
+type UserdataContentFrom struct {
+	// SecretKeyRef is a reference to a key within a secret.
+	SecretKeyRef UserdataContentFromSecretKeyRef `json:"secretKeyRef,omitzero"`
+	// ConfigMapKeyRef is a reference to a key within a configmap.
+	ConfigMapKeyRef UserdataContentFromConfigMapKeyRef `json:"configMapKeyRef,omitzero"`
+	// FirewallControllerKubeconfigSecret is a reference to the desired kubeconfig secret for the firewall-controller to access the seed cluster. This kubeconfig will be generated by the firewall-controller-manager.
+	FirewallControllerKubeconfigSecret *UserdataContentFromSecretKeyRef `json:"firewallControllerKubeconfigSecret,omitempty"`
+}
+
+// UserdataContentFromSecretKeyRef represents a reference to a key within a secret.
+type UserdataContentFromSecretKeyRef struct {
+	// Name is the name of the secret.
+	Name string `json:"name"`
+	// Key is the key within the secret.
+	Key string `json:"key"`
+}
+
+// UserdataContentFromConfigMapKeyRef represents a reference to a key within a configmap.
+type UserdataContentFromConfigMapKeyRef struct {
+	// Name is the name of the configmap.
+	Name string `json:"name"`
+	// Key is the key within the configmap.
+	Key string `json:"key"`
+}
+
 // FirewallTemplateSpec describes the data a firewall should have when created from a template
 type FirewallTemplateSpec struct {
 	// Metadata of the firewalls created from this template.
@@ -122,6 +164,46 @@ type FirewallTemplateSpec struct {
 	Spec FirewallSpec `json:"spec,omitempty"`
 }
 
+// InitialRuleSet is the initial rule set deployed on the firewall.
+type InitialRuleSet struct {
+	// Egress rules to be deployed initially on the firewall.
+	Egress []EgressRule `json:"egress,omitempty"`
+	// Ingress rules to be deployed initially on the firewall.
+	Ingress []IngressRule `json:"ingress,omitempty"`
+}
+
+// NetworkProtocol represents the kind of network protocol.
+type NetworkProtocol string
+
+const (
+	// NetworkProtocolTCP represents tcp connections.
+	NetworkProtocolTCP = "TCP"
+	// NetworkProtocolUDP represents udp connections.
+	NetworkProtocolUDP = "UDP"
+)
+
+type EgressRule struct {
+	// Comment provides a human readable description of this rule.
+	Comment string `json:"comment,omitempty"`
+	// Ports contains all affected network ports.
+	Ports []int32 `json:"ports"`
+	// Protocol constraints the protocol this rule applies to.
+	Protocol NetworkProtocol `json:"protocol"`
+	// To source address cidrs this rule applies to.
+	To []string `json:"to"`
+}
+
+type IngressRule struct {
+	// Comment provides a human readable description of this rule.
+	Comment string `json:"comment,omitempty"`
+	// Ports contains all affected network ports.
+	Ports []int32 `json:"ports"`
+	// Protocol constraints the protocol this rule applies to.
+	Protocol NetworkProtocol `json:"protocol"`
+	// From source address cidrs this rule applies to.
+	From []string `json:"from"`
+}
+
 // EgressRuleSNAT holds a Source-NAT rule
 type EgressRuleSNAT struct {
 	// NetworkID is the network for which the egress rule will be configured.
diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go
index b9d9399..68dd9bd 100644
--- a/api/v2/zz_generated.deepcopy.go
+++ b/api/v2/zz_generated.deepcopy.go
@@ -161,6 +161,31 @@ func (in DeviceStatsByDevice) DeepCopy() DeviceStatsByDevice {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EgressRule) DeepCopyInto(out *EgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]int32, len(*in))
+		copy(*out, *in)
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.
+func (in *EgressRule) DeepCopy() *EgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(EgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EgressRuleSNAT) DeepCopyInto(out *EgressRuleSNAT) {
 	*out = *in
@@ -611,6 +636,13 @@ func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.UserdataContents != nil {
+		in, out := &in.UserdataContents, &out.UserdataContents
+		*out = make([]UserdataContent, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.SSHPublicKeys != nil {
 		in, out := &in.SSHPublicKeys, &out.SSHPublicKeys
 		*out = make([]string, len(*in))
@@ -633,6 +665,11 @@ func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.InitialRuleSet != nil {
+		in, out := &in.InitialRuleSet, &out.InitialRuleSet
+		*out = new(InitialRuleSet)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.DNSPort != nil {
 		in, out := &in.DNSPort, &out.DNSPort
 		*out = new(uint)
@@ -780,6 +817,60 @@ func (in IDSStatsByDevice) DeepCopy() IDSStatsByDevice {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressRule) DeepCopyInto(out *IngressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]int32, len(*in))
+		copy(*out, *in)
+	}
+	if in.From != nil {
+		in, out := &in.From, &out.From
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.
+func (in *IngressRule) DeepCopy() *IngressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InitialRuleSet) DeepCopyInto(out *InitialRuleSet) {
+	*out = *in
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]EgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]IngressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitialRuleSet.
+func (in *InitialRuleSet) DeepCopy() *InitialRuleSet {
+	if in == nil {
+		return nil
+	}
+	out := new(InitialRuleSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InterfaceStat) DeepCopyInto(out *InterfaceStat) {
 	*out = *in
@@ -930,3 +1021,71 @@ func (in *ShootAccess) DeepCopy() *ShootAccess {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserdataContent) DeepCopyInto(out *UserdataContent) {
+	*out = *in
+	in.ContentFrom.DeepCopyInto(&out.ContentFrom)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataContent.
+func (in *UserdataContent) DeepCopy() *UserdataContent {
+	if in == nil {
+		return nil
+	}
+	out := new(UserdataContent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserdataContentFrom) DeepCopyInto(out *UserdataContentFrom) {
+	*out = *in
+	out.SecretKeyRef = in.SecretKeyRef
+	out.ConfigMapKeyRef = in.ConfigMapKeyRef
+	if in.FirewallControllerKubeconfigSecret != nil {
+		in, out := &in.FirewallControllerKubeconfigSecret, &out.FirewallControllerKubeconfigSecret
+		*out = new(UserdataContentFromSecretKeyRef)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataContentFrom.
+func (in *UserdataContentFrom) DeepCopy() *UserdataContentFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(UserdataContentFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserdataContentFromConfigMapKeyRef) DeepCopyInto(out *UserdataContentFromConfigMapKeyRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataContentFromConfigMapKeyRef.
+func (in *UserdataContentFromConfigMapKeyRef) DeepCopy() *UserdataContentFromConfigMapKeyRef {
+	if in == nil {
+		return nil
+	}
+	out := new(UserdataContentFromConfigMapKeyRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserdataContentFromSecretKeyRef) DeepCopyInto(out *UserdataContentFromSecretKeyRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataContentFromSecretKeyRef.
+func (in *UserdataContentFromSecretKeyRef) DeepCopy() *UserdataContentFromSecretKeyRef {
+	if in == nil {
+		return nil
+	}
+	out := new(UserdataContentFromSecretKeyRef)
+	in.DeepCopyInto(out)
+	return out
+}