When you run firehol through the init script, it never displays any error text from failed ip commands.

Reproducible: Always

Steps to Reproduce:
1. Try and start firehol with a bad kernel config so it fails.
        /etc/init.d/firehol start
2. Now, run firehol by hand:
        /usr/sbin/firehol start

Actual Results:  
When you run the init script, you see error messages like:

ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 17 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state
NEW\,ESTABLISHED -j ACCEPT
OUTPUT  :

When you run it by hand, you see:

ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 17 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state
NEW\,ESTABLISHED -j ACCEPT
OUTPUT  :
iptables:  No chain/target/match by that name.

Expected Results:  
The error output should be visible from the init script too.

It turns out that the output text of the failed ip command is being written to stdout, even though the block of text prepending it is written to stderr!  Quite probably a bug or oversight.  The init system feeds stdout into /dev/null, so we never see it unless we run /usr/sbin/firehol by hand.

I've attached a patch for the firehol script which fixes this misdirection.

I've set this 'major' since it makes firehol very difficult to debug.
See http://bugs.gentoo.org/show_bug.cgi?id=310797 's lack of output --
I'd been on a wild goose chase with that bug for much longer than that bug's
been posted, "No chain/target/match by that name" would have told me exactly
where to look.