diff --git a/roles/firewall/defaults/main.yaml b/roles/firewall/defaults/main.yaml
index ca1455b..ac6cfbc 100644
--- a/roles/firewall/defaults/main.yaml
+++ b/roles/firewall/defaults/main.yaml
@@ -60,7 +60,7 @@ firewall_limit_ssh_hitcount: 10
 firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
 
 # ipset's
-firewall_ipset_scanner_timeout: 600
+firewall_ipset_cooloff_timeout: 600
 
 firewall_ipset_blacklist: {}
 
diff --git a/roles/firewall/templates/ip6tables.j2 b/roles/firewall/templates/ip6tables.j2
index 0e44fb9..c572395 100644
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@@ -25,6 +25,7 @@
 
 {% if firewall_limit_ssh %}
 -N LIMIT_SSH
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 {% if firewall_use_ulogd %}
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@@ -32,7 +33,6 @@
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
 {% endif %}
 -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v6 src
--A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}
 
diff --git a/roles/firewall/templates/ipset.v4.j2 b/roles/firewall/templates/ipset.v4.j2
index 3dc9b3d..81c963a 100644
--- a/roles/firewall/templates/ipset.v4.j2
+++ b/roles/firewall/templates/ipset.v4.j2
@@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}
 
 {{ render_ipset(firewall_ipset_bogons.v4, 'bogons_v4') }}
 
-{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}
+{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}
diff --git a/roles/firewall/templates/ipset.v6.j2 b/roles/firewall/templates/ipset.v6.j2
index 9bcd670..7520594 100644
--- a/roles/firewall/templates/ipset.v6.j2
+++ b/roles/firewall/templates/ipset.v6.j2
@@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}
 
 {{ render_ipset(firewall_ipset_bogons.v6, 'bogons_v6') }}
 
-{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}
+{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}
diff --git a/roles/firewall/templates/iptables.j2 b/roles/firewall/templates/iptables.j2
index fb66e51..9be97c9 100644
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@@ -25,6 +25,7 @@
 
 {% if firewall_limit_ssh %}
 -N LIMIT_SSH
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 {% if firewall_use_ulogd %}
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@@ -32,7 +33,6 @@
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
 {% endif %}
 -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src
--A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}