diff --git a/conf/turnkey.d/webmin-conf b/conf/turnkey.d/webmin-conf
deleted file mode 100755
index 97b63661..00000000
--- a/conf/turnkey.d/webmin-conf
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh -e
-
-CONF=/etc/webmin/miniserv.conf
-
-update_or_add() {
-    key=$1
-    value=$2
-    if grep -q "$key" $CONF; then
-        sed -i "s|$key=.*|$key=$value|" $CONF
-    else
-        echo "$key=$value" >> $CONF
-    fi
-}
-
-update_or_add port 12321
-update_or_add listen 12321
-update_or_add keyfile /etc/ssl/private/cert.pem
-update_or_add certfile
-update_or_add cipher_list_def 0
-update_or_add error_handler_401 401.cgi
-update_or_add error_handler_404 404.cgi
-update_or_add error_handler_403 403.cgi
-update_or_add nolog '\/stats\.cgi\?xhr\-stats\=general'
-update_or_add no_tls1 1
-update_or_add no_tls1_1 1
-update_or_add no_tls1_2
-update_or_add extracas
-update_or_add ssl_hsts 0
diff --git a/conf/turnkey.d/webmin-conf-logging b/conf/turnkey.d/webmin-conf-logging
new file mode 100755
index 00000000..c3467647
--- /dev/null
+++ b/conf/turnkey.d/webmin-conf-logging
@@ -0,0 +1,51 @@
+#!/bin/bash -e
+
+CONF=/etc/webmin/miniserv.conf
+LOG_DIR=/var/log/webmin
+
+update_or_add() {
+    key=$1
+    value=$2
+    if grep -q "$key" "$CONF"; then
+        sed -i "s|$key=.*|$key=$value|" "$CONF"
+    else
+        echo "$key=$value" >> "$CONF"
+    fi
+}
+
+update_or_add port 12321
+update_or_add listen 12321
+update_or_add keyfile /etc/ssl/private/cert.pem
+update_or_add certfile
+update_or_add cipher_list_def 0
+update_or_add error_handler_401 401.cgi
+update_or_add error_handler_404 404.cgi
+update_or_add error_handler_403 403.cgi
+update_or_add nolog '\/stats\.cgi\?xhr\-stats\=general'
+update_or_add no_tls1 1
+update_or_add no_tls1_1 1
+# TODO: Disable TLSv1.2 in a future release (i.e. append '1': 'no_tls1_2 1')
+update_or_add no_tls1_2
+update_or_add extracas
+update_or_add ssl_hsts 1
+update_or_add ssl_enforce 2  # force with hsts - '1' forces ssl but not hsts
+update_or_add ssl_redirect 1
+update_or_add session_timeout 1800  # 30 minutes
+# update logfile location
+update_or_add logfile "$LOG_DIR/miniserv.log"
+update_or_add errorlog "$LOG_DIR/miniserv.error"
+
+# Note: Updating Webmin config for it's own log file as below does not actually
+# work (continues to log to /var/webmin/webmin.log) but we'll work around that
+# via symlinks and update the config file to point to the actual log file
+# anyway.
+CONF=/etc/webmin/config
+update_or_add logfile "$LOG_DIR/webmin.log"
+
+# Prime log files and set permissions
+mkdir -p "$LOG_DIR"
+touch "$LOG_DIR"/{miniserv.log,miniserv.error,webmin.log}
+chmod 750 "$LOG_DIR"
+chmod 640 "$LOG_DIR"/*.log
+rm -f /var/webmin/webmin.log
+ln -sf /var/log/webmin/webmin.log /var/webmin/webmin.log
diff --git a/conf/turnkey.d/webmin-fw b/conf/turnkey.d/webmin-fw
index e1619a6b..854facaf 100755
--- a/conf/turnkey.d/webmin-fw
+++ b/conf/turnkey.d/webmin-fw
@@ -1,10 +1,34 @@
-#!/bin/sh -e
+#!/bin/bash -e
 
-set ${WEBMIN_FW_TCP_INCOMING:=22 80 443 12321}
+# TODO: drop use of iptables-legacy and use nftables directly
 
-CONF=/etc/iptables.up.rules
+set "${WEBMIN_FW_TCP_INCOMING:=22 80 443 12321}"
 
-cat > $CONF <<EOF
+# Read into an array of sorted unique values
+# Note: lastpipe is enabled to work around race condition when combining
+# readarray directly with process substitution in bash scripts (job control
+# must be off)
+shopt -s lastpipe
+
+tr ' ' '\n' <<<"$WEBMIN_FW_TCP_INCOMING" \
+    | sort -un \
+    | readarray -t WEBMIN_FW_TCP_INCOMING
+
+# Disable lastpipe again to ensure no unexpected behavior later...
+shopt -u lastpipe
+
+# iptables-persistent package compatible config
+for conf in /etc/iptables/rules.v4 /etc/iptables/rules.v6; do
+    if [[ "$conf" == *"rules.v6" ]]; then
+        # IPv6 should all accept all ICMPv6 types, not just echo-request
+        # ICMPv6 is essential for neighbour discovery (NDP), router
+        # advertisements, and path MTU - blocking it breaks IPv6 networking
+        # in ways that aren't obvious.
+        ICMP="-A INPUT -p ipv6-icmp -j ACCEPT"
+    else
+        ICMP="-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT"
+    fi
+    cat > "$conf" <<EOF
 *nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
@@ -24,31 +48,38 @@ COMMIT
 :INPUT DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -i lo -j ACCEPT
--A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+$ICMP
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 EOF
-
-for port in $WEBMIN_FW_TCP_INCOMING; do
-    echo "-A INPUT -p tcp -m tcp --dport $port -j ACCEPT" >> $CONF
-done
-
-if [ "$WEBMIN_FW_UDP_INCOMING" ]; then
-    for port in $WEBMIN_FW_UDP_INCOMING; do
-        echo "-A INPUT -p udp -m udp --dport $port -j ACCEPT" >> $CONF
+    for port in "${WEBMIN_FW_TCP_INCOMING[@]}"; do
+        echo "-A INPUT -p tcp -m tcp --dport $port -j ACCEPT" >> "$conf"
     done
-fi
 
-if [ "$WEBMIN_FW_TCP_INCOMING_REJECT" ]; then
-    for port in $WEBMIN_FW_TCP_INCOMING_REJECT; do
-        echo "-A INPUT -p tcp -m tcp --dport $port -j REJECT" >> $CONF
-    done
-fi
+    if [[ "$WEBMIN_FW_UDP_INCOMING" ]]; then
+        readarray -t WEBMIN_FW_UDP_INCOMING \
+            < <(tr ' ' '\n' <<< "$WEBMIN_FW_UDP_INCOMING" | sort -un)
+        for port in "${WEBMIN_FW_UDP_INCOMING[@]}"; do
+            echo "-A INPUT -p udp -m udp --dport $port -j ACCEPT" >> "$conf"
+        done
+    fi
 
-echo "COMMIT" >> $CONF
+    if [ "$WEBMIN_FW_TCP_INCOMING_REJECT" ]; then
+        readarray -t WEBMIN_FW_TCP_INCOMING_REJECT \
+            < <(tr ' ' '\n' <<< "$WEBMIN_FW_TCP_INCOMING_REJECT" | sort -un)
+        for port in "${WEBMIN_FW_TCP_INCOMING_REJECT[@]}"; do
+            echo "-A INPUT -p tcp -m tcp --dport $port -j REJECT" >> "$conf"
+        done
+    fi
 
-sed -i "/^$/d" $CONF
+    echo "COMMIT" >> "$conf"
+    sed -i "/^$/d" "$conf"
+done
 
-# As of Buster, Debian uses nftables for firewall; but webmin only supports legacy
-# iptables - see https://github.com/webmin/webmin/issues/1097
+# Debian has been using nftables for firewall for some time; but historically
+# Webmin only supported legacy iptables. Webmin now supports nftables so as per
+# TODO at top of this file TKL should migrate to nftables, but for now we'll
+# continue to leverage legacy iptables functionality via 'iptables-legacy'.
+#
+# See https://github.com/webmin/webmin/issues/1097
 update-alternatives --set iptables /usr/sbin/iptables-legacy
 update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
diff --git a/conf/turnkey.d/webmin-handy-log b/conf/turnkey.d/webmin-handy-log
deleted file mode 100755
index 20354494..00000000
--- a/conf/turnkey.d/webmin-handy-log
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash -e
-
-# set up convenience links to Webmin log files
-
-WEBMIN_VAR=/var/webmin
-WEBMIN_LOG=/var/log/webmin
-
-mkdir -p $WEBMIN_LOG
-
-files=(miniserv.error webmin.log)
-for f in "${files[@]}"; do
-    ln -s "$WEBMIN_VAR/$f" "$WEBMIN_LOG/$f"
-done
diff --git a/conf/turnkey.d/webmin-lets-enc b/conf/turnkey.d/webmin-lets-enc
index a19d84ed..2ae13e0e 100755
--- a/conf/turnkey.d/webmin-lets-enc
+++ b/conf/turnkey.d/webmin-lets-enc
@@ -3,5 +3,7 @@
 # Disable Webmin Let's Encrypt config - via patch
 
 cd /usr/share/webmin/webmin
+# test patch first; --check exits non-zero if doesn't apply cleanly
+git apply --check /usr/local/src/webmin.patch
 git apply /usr/local/src/webmin.patch
 rm /usr/local/src/webmin.patch
diff --git a/overlays/turnkey.d/fail2ban/etc/fail2ban/jail.local b/overlays/turnkey.d/fail2ban/etc/fail2ban/jail.local
index 28eb775e..ccd1b765 100644
--- a/overlays/turnkey.d/fail2ban/etc/fail2ban/jail.local
+++ b/overlays/turnkey.d/fail2ban/etc/fail2ban/jail.local
@@ -9,8 +9,8 @@
 [DEFAULT]
 ignoreip    = 127.0.0.1/8 ::1  
 bantime     = 3600
-findtime    = 10
-maxretry    = 2
+findtime    = 600  # 10 minutes
+maxretry    = 3
 backend     = systemd
 
 [sshd]
diff --git a/overlays/turnkey.d/webmin/usr/local/src/webmin.patch b/overlays/turnkey.d/webmin/usr/local/src/webmin.patch
index cf76bcbb..d27ce764 100644
--- a/overlays/turnkey.d/webmin/usr/local/src/webmin.patch
+++ b/overlays/turnkey.d/webmin/usr/local/src/webmin.patch
@@ -1,19 +1,25 @@
 diff --git a/edit_ssl.cgi b/edit_ssl.cgi
-index dd98182..1a4cd77 100755
+index a8b6274..f552dbb 100755
 --- a/edit_ssl.cgi
 +++ b/edit_ssl.cgi
-@@ -259,13 +259,14 @@ print ui_tabs_end_tab();
- print ui_tabs_start_tab("mode", "lets");
- print "$text{'ssl_letsdesc'}<p>\n";
+@@ -261,19 +261,15 @@ print ui_tabs_end_tab();
  
+ # Let's Encrypt form
+ print ui_tabs_start_tab("mode", "lets");
 -my $err = &check_letsencrypt();
 +my $err = 1;
- if ($err) {
--	print "<b>",&text('ssl_letserr', $err),"</b><p>\n";
--	print &get_letsencrypt_install_message(
--		"/$module_name/edit_ssl.cgi?mode=lets", $text{'ssl_title'});
--	print "<p>\n";
--	print &text('ssl_letserr2', "../config.cgi?$module_name"),"<p>\n";
+ print $text{'ssl_letsdesc'};
+ if (!$err) {
+-	print &ui_tag('span',
+-		&ui_details({
+-			'class' => 'inline inlined',
+-			'title' => '',
+-			'content' => $text{'ssl_letsdesc2'},
+-			}))."\n".
+-		&ui_tag('style',
+-			".ui--span>details.inline>summary+span {\n".
+-			"margin-top: 0;\n".
+-			"}\n");
 +    print "<b>Unfortunately the Webmin Let's Encrypt module currrently clashes";
 +    print " with TurnKey's SSL conf and has been disabled</b><p>\n";
 +    print "<p>To use Let's Encrypt, please use <a href=";
@@ -21,5 +27,5 @@ index dd98182..1a4cd77 100755
 +    print " - see <a href='https://www.turnkeylinux.org/docs/confconsole/letsencrypt'>";
 +    print "Let's Encrypt plugin</a> docs.</p>";
  	}
- else {
- 	# Show form to create a cert
+ print "<p>\n";
+ 
diff --git a/plans/turnkey/base b/plans/turnkey/base
index e805ed45..634b3cab 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -62,7 +62,9 @@ ncurses-term            /* support additional $TERM values */
 
 webmin
 webmin-authentic-theme
-webmin-net
+// webmin-net causing issues so excluded for now
+// see https://github.com/turnkeylinux/tracker/issues/2118
+//webmin-net
 webmin-software
 webmin-useradmin
 webmin-passwd
@@ -82,6 +84,7 @@ libfile-mimeinfo-perl   /* webmin-filemin requires to extract archives */
 logrotate
 
 iptables
+iptables-persistent
 webmin-firewall
 webmin-firewall6
 fail2ban