I often use iptables (or ip6tables, the IPv6 version of iptables) to implemented firewall rules on my linux systems.
In earlier times I used a commented bash script to setup the rules after booting, but using Gentoo nowadays there is a nice init script saving and restoring my tables. Using this I stopped commenting the firewall rules, but yesterday I found a very nice solution for this problem.
Iptables has a special "match" for comments. You have to enable it in your kernel config like
[*] Networking support ---> Networking options [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> -*- Netfilter Xtables support (required for ip_tables) <*> "comment" match support
or as a module.
Then you're able to add rules like
iptables -A INPUT -m state --state RELATED,ESTABLISHED \ -m comment --comment "allow all established connections" -j ACCEPT
And if you list your rules you get something like
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* allow all established connections */
It's a pity that I never saw this in any iptables tutorials.
Note that the ability to select '"comments" match support" in the kernel config depends on the selection of "Advanced netfilter configuration" in the Network packet filtering framework menu. If this kernel option isn't on, then the comments option won't appear in the Core Netfilter Configuration menu.