i've been trying to config the firewall now for hours but i cant figure out the reason for my problem. my problem is that i can ping everything within my subnet but i cant ping the sixxs tunnel endpoint and every other ipv6 (ping6: sendmsg: Permission denied). even firewall type "open" doesnt give me the right response. only if i turn off the firewall and flush the rules i can ping6 other ipv6. if anyone of you know how to solve my problem.. pls do so... here is my firewall: # Set these to your outside interface network and prefixlen and ip. oif="ed0" onet="2001:960:2:c6::" oprefixlen="64" oip="2001:960:2:c6::2" # Set these to your inside interface network and prefixlen and ip. iif="ed1" inet="2001:960:65c:1::" iprefixlen="64" iip="2001:960:65c:1::1" # Stop spoofing. ${fw6cmd} add deny log all from ${inet}/${iprefixlen} to any in via ${oif} ${fw6cmd} add deny log all from ${onet}/${oprefixlen} to any in via ${iif} # Stop site-local on the outside interface ${fw6cmd} add deny log all from fec0::/10 to any via ${oif} ${fw6cmd} add deny log all from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. ${fw6cmd} add deny log all from ::ffff:0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny log all from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. ${fw6cmd} add deny log all from ::224.0.0.0/100 to any via ${oif} ${fw6cmd} add deny log all from any to ::224.0.0.0/100 via ${oif} ${fw6cmd} add deny log all from ::127.0.0.0/104 to any via ${oif} ${fw6cmd} add deny log all from any to ::127.0.0.0/104 via ${oif} ${fw6cmd} add deny log all from ::0.0.0.0/104 to any via ${oif} ${fw6cmd} add deny log all from any to ::0.0.0.0/104 via ${oif} ${fw6cmd} add deny log all from ::255.0.0.0/104 to any via ${oif} ${fw6cmd} add deny log all from any to ::255.0.0.0/104 via ${oif} ${fw6cmd} add deny log all from ::0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny log all from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. ${fw6cmd} add deny log all from 2002:e000::/20 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:e000::/20 via ${oif} ${fw6cmd} add deny log all from 2002:7f00::/24 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:7f00::/24 via ${oif} ${fw6cmd} add deny log all from 2002:0000::/24 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:0000::/24 via ${oif} ${fw6cmd} add deny log all from 2002:ff00::/24 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:ff00::/24 via ${oif} ${fw6cmd} add deny log all from 2002:0a00::/24 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:0a00::/24 via ${oif} ${fw6cmd} add deny log all from 2002:ac10::/28 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:ac10::/28 via ${oif} ${fw6cmd} add deny log all from 2002:c0a8::/32 to any via ${oif} ${fw6cmd} add deny log all from any to 2002:c0a8::/32 via ${oif} ${fw6cmd} add deny log all from ff05::/16 to any via ${oif} ${fw6cmd} add deny log all from any to ff05::/16 via ${oif} # Allow anything on the internal net. ${fw6cmd} add allow all from any to any via ${iif} # Allow anything outbound from this net. ${fw6cmd} add allow all from ${onet}/${oprefixlen} to any out via ${oif} # Deny anything outbound from other nets. ${fw6cmd} add deny log all from any to any out via ${oif} # Allow TCP through if setup succeeded. ${fw6cmd} add allow tcp from any to any established # Allow IP fragments to pass through. ${fw6cmd} add allow all from any to any frag # Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s. ${fw6cmd} add allow tcp from any to ${oip} 21 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 22 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 25 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 53 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 80 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 443 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 110 setup in via ${oif} ${fw6cmd} add allow tcp from any to ${oip} 995 setup in via ${oif} # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol # without logging. ${fw6cmd} add deny tcp from any to ${oip} 113 setup in via ${oif} ${fw6cmd} add deny tcp from any to ${oip} 139 setup in via ${oif} ${fw6cmd} add deny tcp from any to ${oip} 389 setup in via ${oif} ${fw6cmd} add deny tcp from any to ${oip} 445 setup in via ${oif} # Deny some chatty UDP broadcast protocols without logging. ${fw6cmd} add deny udp from any 137 to any in via ${oif} ${fw6cmd} add deny udp from any to any 137 in via ${oif} ${fw6cmd} add deny udp from any 138 to any in via ${oif} ${fw6cmd} add deny udp from any 513 to any in via ${oif} ${fw6cmd} add deny udp from any 525 to any in via ${oif} # Allow inbound DNS and NTP replies. This is somewhat of a hole, # since we're looking at the incoming port number, which can be # faked, but that's just the way DNS and NTP work. ${fw6cmd} add allow udp from any 53 to ${oip} in via ${oif} ${fw6cmd} add allow udp from any 123 to ${oip} in via ${oif} # Allow inbound DNS queries. ${fw6cmd} add allow udp from any to ${oip} 53 in via ${oif} # Deny inbound NTP queries without logging. ${fw6cmd} add deny udp from any to ${oip} 123 in via ${oif} # Allow traceroute to function, but not to get in. ${fw6cmd} add unreach port udp from any to ${oip} 33435-33524 in via ${oif} # Allow RIPng #${fw6cmd} add allow udp from fe80::/10 521 to ff02::9 521 #${fw6cmd} add allow udp from fe80::/10 521 to fe80::/10 521 # Allow some inbound icmps - dest unreach, too big, time exceeded, # echo, echo reply, neighbor solicit, neighbor ad. ${fw6cmd} add allow ipv6-icmp from any to any icmptypes 1,2,3,128,129,135,136 # Everything else is denied and logged. ${fw6cmd} add deny log all from any to any ;; ################# thanks for helping me