iptables: Worse Than Hitler?

Yes, because if you boot Hitler he still remembers everything he was doing yesterday. iptables is pretty atrocious in this regard, because even if you enjoy that whole "I can instantly hack up my firewall by running commands from a bash prompt" aspect of the software, at some point you have to stop and ask yourself "What am I going to do if the power goes out?"

That's right, folks. Sometimes you lose power. It happens, and usually when you least expect it. If you're using iptables, then you pretty much have to hope that nothing bad happens between when you type that neat iptables command and when you get it written to disk.

And about that whole thing. iptables doesn't have a built-in "write-this-shit-down" mechanism? There are iptables-save and iptables-restore, of course. Good luck standardizing on how they're used or where you're keeping your rules. I've installed Debian on a system that ignored iptables-save in lieu of /etc/init.d/iptables save "ruleset-name". What's up with that? Who's running this railroad? I have to urge everyone to avoid iptables, not because of the broken syntax, and not because of its inability to share state information between concurrent firewall systems, but because it doesn't use a config file.

There's this thing called "OpenBSD". It has a firewall called PF. PF keeps its config in a file written to disk. It supports redundancy with another PF system via pfsync. It's free.

I cannot think of a single reason why you'd want to use anything else.