diff --git a/activator/activator.go b/activator/activator.go
index 36213a3..099bd0e 100644
--- a/activator/activator.go
+++ b/activator/activator.go
@@ -181,11 +181,16 @@ func (s *Server) Stop(ctx context.Context) {
 	}
 
 	for _, l := range s.listeners {
-		l.Close()
+		if err := l.Close(); err != nil {
+			log.G(ctx).WithError(err).Error("closing listener")
+		}
 	}
 
-	log.G(ctx).Debugf("removing %s", PinPath(s.sandboxPid))
+	if err := s.closeMaps(); err != nil {
+		log.G(ctx).WithError(err).Error("closing bpf maps")
+	}
 
+	log.G(ctx).Debugf("removing %s", PinPath(s.sandboxPid))
 	_ = os.RemoveAll(PinPath(s.sandboxPid))
 
 	s.wg.Wait()
@@ -393,6 +398,26 @@ func (s *Server) loadPinnedMaps() error {
 	return nil
 }
 
+func (s *Server) closeMaps() error {
+	errs := []error{}
+	if s.maps.ActiveConnections != nil {
+		errs = append(errs, s.maps.ActiveConnections.Close())
+	}
+	if s.maps.DisableRedirect != nil {
+		errs = append(errs, s.maps.DisableRedirect.Close())
+	}
+	if s.maps.EgressRedirects != nil {
+		errs = append(errs, s.maps.EgressRedirects.Close())
+	}
+	if s.maps.IngressRedirects != nil {
+		errs = append(errs, s.maps.IngressRedirects.Close())
+	}
+	if s.maps.SocketTracker != nil {
+		errs = append(errs, s.maps.SocketTracker.Close())
+	}
+	return errors.Join(errs...)
+}
+
 func (s *Server) mapPath(name string) string {
 	return filepath.Join(PinPath(s.sandboxPid), name)
 }
diff --git a/shim/container.go b/shim/container.go
index cece9db..cab9317 100644
--- a/shim/container.go
+++ b/shim/container.go
@@ -324,6 +324,7 @@ func (c *Container) Stop(ctx context.Context) {
 	c.sendEvent(status)
 	c.StopActivator(ctx)
 	c.cleanupImage(ctx)
+	_ = c.netNS.Close()
 }
 
 func (c *Container) cleanupImage(ctx context.Context) {