Rules sanity check

Tue Oct 13 10:32:26 UTC 2015

> On 13 Oct 2015, at 05:51, David Mehler <dave.mehler at gmail.com> wrote:
> Some things I know definitely aren't working is the ipv6 allowing of
> ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the
> machine the data connection doesn't come through, i'm assuming i'll
> have that same problem when I set up a jailed ftp server as well.
> 
You really, really want to allow ICMPv6. Without ICMPv6 critical things
like path MTU (remember, there’s no router fragmentation in IPv6, you
*need* path MTU discovery) and router advertisements.

It’s still possible to filter out undesirable ICMPv6 types, but I’d start
out just allowing everything.

I’ve not looked at the rest of it in any depth, but the ICMPv6 thing probably
explains all of the IPv6 issues you’ve had.

Regards,
Kristof