diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index a9ebe48..139df04 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -32,7 +32,7 @@
 {% endfor %}
 {% endif %}
 {% else %}
-# ssh is always open. We use denyhosts to prevent unauthorized accesses
+# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 {% endif %}
 {% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
@@ -41,9 +41,11 @@
 -A INPUT -s {{ network.nmis }} -j ACCEPT
 -A INPUT -s {{ network.eduroam }} -j ACCEPT
 {% endif %}
+{% if http_port is not defined %}
 {% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 {% endif %}
+{% endif %}
 {% if http_port is defined %}
 # http
 {% if http_allowed_hosts is defined %}