(type:EXECVE a0:iptables a1:DROP*) OR (type:EXECVE a0:firewall\-cmd a1:remove*) OR (type:EXECVE a0:ufw a1:delete*) OR (type:EXECVE a0:nft (a1:delete* OR a1:flush*))