diff --git a/VERSION b/VERSION
index 2ac9634..5b09c67 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.0.13
+1.0.14
diff --git a/cmd/edgeguard-api/main.go b/cmd/edgeguard-api/main.go
index 12e6f58..acc6f15 100644
--- a/cmd/edgeguard-api/main.go
+++ b/cmd/edgeguard-api/main.go
@@ -39,7 +39,7 @@ import (
 	wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
 )
 
-var version = "1.0.13"
+var version = "1.0.14"
 
 func main() {
 	addr := os.Getenv("EDGEGUARD_API_ADDR")
diff --git a/cmd/edgeguard-ctl/main.go b/cmd/edgeguard-ctl/main.go
index 5c0d16f..bc1a1f1 100644
--- a/cmd/edgeguard-ctl/main.go
+++ b/cmd/edgeguard-ctl/main.go
@@ -9,7 +9,7 @@ import (
 	"os"
 )
 
-var version = "1.0.13"
+var version = "1.0.14"
 
 const usage = `edgeguard-ctl — EdgeGuard CLI
 
diff --git a/cmd/edgeguard-scheduler/main.go b/cmd/edgeguard-scheduler/main.go
index 7224a7c..c8f9bd7 100644
--- a/cmd/edgeguard-scheduler/main.go
+++ b/cmd/edgeguard-scheduler/main.go
@@ -5,7 +5,7 @@ import (
 	"time"
 )
 
-var version = "1.0.13"
+var version = "1.0.14"
 
 func main() {
 	log.Printf("edgeguard-scheduler %s starting", version)
diff --git a/management-ui/package.json b/management-ui/package.json
index 150a643..2950fc0 100644
--- a/management-ui/package.json
+++ b/management-ui/package.json
@@ -1,7 +1,7 @@
 {
   "name": "edgeguard-management-ui",
   "private": true,
-  "version": "1.0.13",
+  "version": "1.0.14",
   "type": "module",
   "scripts": {
     "dev": "vite",
diff --git a/management-ui/src/components/Layout/Sidebar.tsx b/management-ui/src/components/Layout/Sidebar.tsx
index 10c5376..e15e355 100644
--- a/management-ui/src/components/Layout/Sidebar.tsx
+++ b/management-ui/src/components/Layout/Sidebar.tsx
@@ -70,7 +70,7 @@ const NAV: NavSection[] = [
   },
 ]
 
-const VERSION = '1.0.13'
+const VERSION = '1.0.14'
 
 export default function Sidebar({ isOpen, onClose }: SidebarProps) {
   const { t } = useTranslation()
diff --git a/packaging/debian/edgeguard-api/DEBIAN/postinst b/packaging/debian/edgeguard-api/DEBIAN/postinst
index 9c46efe..7ae88bb 100755
--- a/packaging/debian/edgeguard-api/DEBIAN/postinst
+++ b/packaging/debian/edgeguard-api/DEBIAN/postinst
@@ -98,10 +98,17 @@ SUDOERS
         # ── Render initial service configs ───────────────────────────
         # Writes /etc/edgeguard/haproxy/haproxy.cfg + nftables.d/
         # ruleset.nft from the (just-migrated, empty) PG state.
-        # --no-reload because haproxy isn't pointed at our config yet
-        # — the drop-in below does that, then we restart.
-        if ! sudo -n -u "$EG_USER" /usr/bin/edgeguard-ctl render-config --no-reload; then
-            echo "postinst: edgeguard-ctl render-config failed — aborting" >&2
+        #
+        # haproxy bekommt --no-reload (drop-in unten zeigt erst danach
+        # auf unsere cfg; wir restarten explizit); nftables muss aber
+        # aktiv reloadet werden, sonst läuft das Kernel-Set bei Template-
+        # Änderungen (z.B. neue anti-lockout-Ports) hinterher.
+        if ! sudo -n -u "$EG_USER" /usr/bin/edgeguard-ctl render-config --only=haproxy --no-reload; then
+            echo "postinst: edgeguard-ctl render-config (haproxy) failed — aborting" >&2
+            exit 1
+        fi
+        if ! sudo -n -u "$EG_USER" /usr/bin/edgeguard-ctl render-config --only=nftables; then
+            echo "postinst: edgeguard-ctl render-config (nftables) failed — aborting" >&2
             exit 1
         fi