Only restart fail2ban in rc.firewall if it's *not* started from boot.

rc.d/rc.firewall

@@ -69,7 +69,7 @@ start_firewall() {
 
   # Allow unrestricted access from our IPs.
   for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
-    iptables -A INPUT -i "$EX_IF" --s "$ENTRY" -j ACCEPT
+    iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
   done
   for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
     ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
@@ -159,7 +159,9 @@ case "$1" in
     ;;
 esac
 
-# Restart fail2ban to re-create the ban chains.
+# Unless the system is booting, restart fail2ban to re-create the ban chains.
-[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+[[ "$PREVLEVEL" != "N" ]] && {
+  [[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+}
 
 exit 0

rc.d/rc.firewall-complete

@@ -205,7 +205,9 @@ case "$1" in
     ;;
 esac
 
-# Restart fail2ban to re-create the ban chains.
+# Unless the system is booting, restart fail2ban to re-create the ban chains.
-[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+[[ "$PREVLEVEL" != "N" ]] && {
+  [[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+}
 
 exit 0

rc.d/rc.firewall-float

@@ -187,7 +187,9 @@ case "$1" in
     ;;
 esac
 
-# Restart fail2ban to re-create the ban chains.
+# Unless the system is booting, restart fail2ban to re-create the ban chains.
-[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+[[ "$PREVLEVEL" != "N" ]] && {
+  [[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
+}
 
 exit 0