diff --git a/docs/references/selfhosting.md b/docs/references/selfhosting.md
index c69eaa03b..2915a71b5 100644
--- a/docs/references/selfhosting.md
+++ b/docs/references/selfhosting.md
@@ -428,7 +428,7 @@ The goal of rate limits is to prevent password brute force attacks.
 
 *   Cloudron password verification routes - 10 requests per second per IP.
 *   HTTP and HTTPS requests - 5000 requests per second per IP.
-*   SSH access - 3 connections per second per IP.
+*   SSH access - 5 connections per 10 seconds per IP.
 *   Email access (Port 25, 587, 993, 4190) - 50 connections per second per IP/App.
 *   Database addons access - 5000 connections per second per app (addons use 128 byte passwords).
 *   Email relay access - 500 connections per second per app.
diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 4a47ab47d..4734964ad 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -38,40 +38,30 @@ iptables -t filter -A CLOUDRON_RATELIMIT_LOG -j DROP
 
 # http https
 for port in 80 443; do
-    iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --set --name "public-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 5000 -j CLOUDRON_RATELIMIT_LOG
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn --dport ${port} -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
 done
 
 # ssh smtp ssh msa imap sieve
 for port in 22 202; do
     iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --set --name "public-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 3 -j CLOUDRON_RATELIMIT_LOG
+    iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 10 --hitcount 5 -j CLOUDRON_RATELIMIT_LOG
 done
 
 # TODO: move docker platform rules to platform.js so it can be specialized to rate limit only when destination is the mail container
 
 # docker translates (dnat) 25, 587, 993, 4190 in the PREROUTING step
 for port in 2525 4190 9993; do
-    iptables -A CLOUDRON_RATELIMIT -p tcp ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "public-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 50 -j CLOUDRON_RATELIMIT_LOG
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m connlimit --connlimit-above 50 -j CLOUDRON_RATELIMIT_LOG
 done
 
-# ldap, imap, sieve
-for port in 3002 4190 9993; do
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 500 -j CLOUDRON_RATELIMIT_LOG
+# msa, ldap, imap, sieve
+for port in 2525 3002 4190 9993; do
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m connlimit --connlimit-above 500 -j CLOUDRON_RATELIMIT_LOG
 done
 
 # cloudron docker network: mysql postgresql redis mongodb
 for port in 3306 5432 6379 27017; do
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 5000 -j CLOUDRON_RATELIMIT_LOG
-done
-
-# cloudron docker network: mail relay
-for port in 2525; do
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}"
-    iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 500 -j CLOUDRON_RATELIMIT_LOG
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
 done
 
 # For ssh, http, https