diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml
index 476fc0b4..1e6ef6e8 100644
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -1,5 +1,7 @@
 cilium:
   kubeProxyReplacement: true
+  hostFirewall:
+    enabled: true
   hubble:
     enabled: false
   externalIPs:
diff --git a/packages/system/linstor/templates/networkpolicy.yaml b/packages/system/linstor/templates/networkpolicy.yaml
new file mode 100644
index 00000000..e8129b30
--- /dev/null
+++ b/packages/system/linstor/templates/networkpolicy.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-drbd-reactor
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "9942"
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}
diff --git a/packages/system/monitoring-agents/templates/networkpolicy.yaml b/packages/system/monitoring-agents/templates/networkpolicy.yaml
new file mode 100644
index 00000000..aa6dd4fe
--- /dev/null
+++ b/packages/system/monitoring-agents/templates/networkpolicy.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-node-exporter
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "9100"
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}