On Tue, Jan 11, 2011 at 02:12:15PM -0600, Blake Hudson wrote: > From: Stephen Harris <lists at spuddy.org> > > I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty > > well and is simple to setup. Everything works fine. > > > > Until I try to set up an ip6tables firewall. > I have been waiting for RHEL6/CentOS6 because, as I understand it, > CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic > would have to have a default ACCEPT policy or only specific applications > allowed (based on source port) on a case by case basis. Perhaps this is > the issue you are running into. However, I would think you'd receive an > error attempting to set "--state ESTABLISHED,RELATED" within iptables if > this were the case. I think that got fixed in earlier versions. # ip6tables -L | grep state ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT all anywhere anywhere state RELATED,ESTABLISHED So it's clear the options are now availale. And for a lot of things it works OK. That's why I think the problem may be fragmentation related, and the fragments aren't being properly reassembled for the ip6tables to pass them through. -- rgds Stephen