> reconfiguring the firewall involves clearing the old configuration and leaving things open for a period
This is only the case if you are doing it wrong.
the right way to do this is to set the default policies to 'drop everything', then flush the rules (at this point, nothing goes through), then set the new rules, and if needed, change the default policies.
by setting the default policies to 'drop' not 'reject' packets sent by anything will just be silently dropped, and will retry in a little bit (by which time the new rules should be in place)
In addition to this, it is possible to insert or remove rules into the existing ruleset, but figuring the right way to do this is hard.
There is also the 'owner' module that lets you set rules by a number of criteria
from man iptables
This module attempts to match various characteristics of the packet
creator, for locally generated packets. This match is only valid in the
OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
associated with them. Packets from kernel threads do have a socket, but
usually no owner.
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is
owned by the given user. You may also specify a numerical UID,
or an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the
given group. You may also specify a numerical GID, or a GID
Matches if the packet is associated with a socket.
In addition to this I see refrences to --cmd-owner that lets you set rules based on the name of the program running it.