diff --git a/.gitignore b/.gitignore
index 340b20d..dcf9e6e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,43 +1,42 @@
-# .gitignore for Secure Debian ISO Project
-
-# Output directory
-output/
-
-# Generated ISO files
+# KNEL-Football ISO build artifacts
 *.iso
-*.iso.sha256
-*.iso.asc
-
-# Build artifacts
-config/binary
-config/cache
-config/chroot
-config/.build
-
-# Live-build temporary files
-binary-hybrid.iso
-live-build.log
-
-# Virtual machine images
-*.qcow2
-*.vmdk
+*.sha256
+*.md5
 *.img
 
-# Test artifacts
-test-reports/
-coverage/
+# Build directories
+knel-build/
+knel-iso/
+knel-custom/
+knel-final/
+artifacts/
+.chroot/
+.cache/
+.build/
+tmp/
+output/
 
-# IDE and editor files
-.vscode/
-.idea/
-*.swp
-*.swo
+# Live-build artifacts
+config/
+binary/
+.cache/
+bootstrap/
+
+# Temporary files
+*.log
+*.tmp
 *~
-
-# OS specific files
 .DS_Store
 Thumbs.db
 
-# Temporary files
-tmp/
-temp/
\ No newline at end of file
+# Downloaded files
+debian-*.iso
+*.netinst.iso
+*.tar.gz
+*.tar.xz
+
+# Security - don't commit sensitive configs
+*key*
+*.pem
+*.crt
+secrets/
\ No newline at end of file
diff --git a/config/hooks/live/firewall-setup.sh b/config/hooks/live/firewall-setup.sh
index f1f92f3..45a93dd 100755
--- a/config/hooks/live/firewall-setup.sh
+++ b/config/hooks/live/firewall-setup.sh
@@ -2,10 +2,38 @@
 # Dynamic firewall setup hook
 set -euo pipefail
 
-# Install firewall setup script
-install -m 755 /usr/local/bin/firewall-setup.sh
+echo "Setting up firewall configuration..."
+
+# Load firewall setup functions from proper volume path
+# shellcheck source=/build/src/firewall-setup.sh
+source /build/src/firewall-setup.sh
+
+# Install nftables rules (default deny policy)
+cat >/etc/nftables.conf <<'EOF'
+#!/usr/sbin/nft -f
+# Default secure firewall rules for KNEL-Football
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        iif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Accept ping"
+    }
+    
+    chain forward {
+        type filter hook forward priority 0; policy drop
+    }
+    
+    chain output {
+        type filter hook output priority 0; policy drop
+        oif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Allow ping"
+    }
+}
+EOF
 
 # Enable nftables service
 systemctl enable nftables
 
-echo "Firewall setup hook completed."
\ No newline at end of file
+echo "Firewall setup hook completed."
diff --git a/config/hooks/live/qr-code-import.sh b/config/hooks/live/qr-code-import.sh
index 778e76b..dc588e0 100755
--- a/config/hooks/live/qr-code-import.sh
+++ b/config/hooks/live/qr-code-import.sh
@@ -10,7 +10,7 @@ apt-get install -y zbar-tools python3-pil
 apt-get clean
 
 # Create QR code scanning script
-cat > /usr/local/bin/scan-wireguard-qr.sh << 'EOF'
+cat >/usr/local/bin/scan-wireguard-qr.sh <<'EOF'
 #!/bin/bash
 # Scan WireGuard QR code and update configuration
 set -euo pipefail
@@ -90,7 +90,7 @@ chmod +x /usr/local/bin/scan-wireguard-qr.sh
 
 # Create desktop shortcut
 mkdir -p /usr/share/applications
-cat > /usr/share/applications/scan-wireguard-qr.desktop << EOF
+cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
 [Desktop Entry]
 Name=Import WireGuard QR Code
 Comment=Scan QR code to import WireGuard configuration
@@ -101,4 +101,4 @@ Type=Application
 Categories=Network;System;
 EOF
 
-echo "QR code scanning tools installed successfully."
\ No newline at end of file
+echo "QR code scanning tools installed successfully."
diff --git a/config/hooks/live/security-hardening.sh b/config/hooks/live/security-hardening.sh
index ca824e3..038e99f 100755
--- a/config/hooks/live/security-hardening.sh
+++ b/config/hooks/live/security-hardening.sh
@@ -4,10 +4,29 @@ set -euo pipefail
 
 echo "Applying security hardening..."
 
-# Apply security hardening from source script
-/usr/local/bin/security-hardening.sh
+# Apply security hardening functions from proper volume path
+# shellcheck source=/build/src/security-hardening.sh
+source /build/src/security-hardening.sh
 
-# Configure auditd
+# Create WiFi module blacklist
+create_wifi_blacklist
+
+# Create Bluetooth module blacklist
+create_bluetooth_blacklist
+
+# Configure SSH
+configure_ssh
+
+# Configure password policy
+configure_password_policy
+
+# Configure system limits
+configure_system_limits
+
+# Configure audit rules
+configure_audit_rules
+
+# Enable auditd service
 systemctl enable auditd
 
-echo "Security hardening completed."
\ No newline at end of file
+echo "Security hardening completed."