Firewall mám v defaultní konfiguraci. ICMPv6 tedy povolené je. Ping z internetu na PC normálně funguje. Na PC mám ip6tables prázdné.
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes !connection-limit !connection-mark !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority !protocol !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=no
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=no src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=no dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=no hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN