We should come up with a watchdog rule that tests whether or not certain netfilter rules are in place
I guess what I am trying to say is for example: if I want all ports but 80 be closed from the outside, it would be nice to have a watchdog rule that could check that... e.g. after a reboot, maybe loading my iptables script into the kernel didn't work for some reason, someone fiddled with the live-config, some process...
What you would do then is create a Rule that tries to open either an UDP or TCP connection on a remote host, Succeed if the connection starts, Fails if the connection fails. This would allow a remote machine running watchdog to test the server ports.
I don't think that's the smart way to do it... for the same reason you don't run nmap against a machine continuously just to check whether or not it's firewall settings are what you want them to be. I'd rather use iptables-save on the machine in question (triggered by a Rule) and compare it to what I wanted it to be (e.g. using a simple diff to compare the current state to what it should be). Sorry if I didn't manage to get the idea across initially :)