diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 13c463602b..739a913ce8 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -150,8 +150,7 @@
 
 - name: setup builder ipset if this is a new install
   command: /usr/sbin/ipset create osbuildapi hash:ip
-  ignore_errors: true
-  changed_when: false
+  creates: /etc/sysconfig/ipset-osbuildapi
   when: "'osbuild' in group_names"
   tags:
     - base
@@ -171,8 +170,7 @@
 
 - name: setup blocklist ipset if this is a new install
   command: /usr/sbin/ipset create blocklist hash:ip
-  ignore_errors: true
-  changed_when: false
+  creates: /etc/sysconfig/blocklist
   when: "'iad2' not in inventory_hostname or ( datacenter == 'iad2' and external == 'true')"
   tags:
     - base
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 41124f732d..f163ee9749 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -16,7 +16,7 @@
 
 # if the host is external, block some ips
 {% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
--A INPUT -p any -m set --match-set blocklist src -j REJECT
+-A INPUT -p all -m set --match-set blocklist src -j REJECT
 {% endif %}
 
 # allow ssh - always