The /etc/init.d/ipchains script flushes all rules on shutdown. I suggest that this is dangerous. Recomended action: have it default-deny and flush rules on shutdown. Alternatively: have it do nothing on shutdown. An "accept" action for the script should be added to do what the "stop" one curently does.
The problem with that is that if someone wants to disable their firewall, say to use the machine without a firewall at all, their machine is now firewalled off completely. I agree with what you are saying though, but any solution needs to take every circumstance into consideration. The ipchains script on "stop" should put the system back into the state it was when the script was started. So perhaps we could have the rc.sysinit set the default firewall policy first, and then ipchains script would read that setting and act appropriately. Unfortunately, doing this by default would kill DHCP completely and possibly other things too. Feel free to add more thoughts to help try to come up with an adequate solution.
It might suffice just to desist from flushing the rules at shutdown. It could check for $CONFIRM if there isn't already a better way to do this.
Defering for future consideration.
I've decided against this enhancement as I dont believe it is a good idea for the general case.