This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel. (Longer term, we should probably move to a single service
for managing the iptables rules.)
This is useful for packages like mosh, which use a wide UDP port range
by default for incoming connections.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
