[...]
I understand the fundamental issue very well. The things that can go wrong here are: - I accidentally delete or comment out one of the drop rules - "drop ! NEW" doesn't do the same as "!drop NEW" due to a bug - the universe folds in on itself Are there any other ones I am overlooking?
How about "One rule fails to load for obscure reasons." ?There might be a syntax change in a future release which conflicts with one of your rules. Or an extension might not be available after a kernel upgrade and cause one rule to fail to load. The invocation of iptables loading one rule might fail because some other process temporarily consumes to many ressources. This is no exhaustive list ...
Ralf Döblitz