How would a firewall make the GUA work, but not the ULA?
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='OpenVPNServer lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].network='wan6 wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-WWW'
firewall.@rule[3].proto='tcp'
firewall.@rule[3].dest_port='80'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='22'
firewall.@rule[10].name='SSH'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_ip='10.165.17.1'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='SSH'
firewall.@redirect[0].src_dport='2222'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='993'
firewall.@redirect[1].dest_ip='10.165.17.1'
firewall.@redirect[1].dest_port='993'
firewall.@redirect[1].name='IMAPS'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_ip='10.165.17.1'
firewall.@redirect[2].dest_port='443'
firewall.@redirect[2].name='HTTPS'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp'
firewall.@redirect[3].src_dport='4190'
firewall.@redirect[3].dest_ip='10.165.17.1'
firewall.@redirect[3].dest_port='4190'
firewall.@redirect[3].name='ManagedSieve'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].proto='tcp udp'
firewall.@redirect[4].src_dport='8883'
firewall.@redirect[4].dest_ip='10.165.17.1'
firewall.@redirect[4].dest_port='8883'
firewall.@redirect[4].name='MQTT'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='tcp udp'
firewall.@redirect[5].src_dport='465'
firewall.@redirect[5].dest_ip='10.165.17.1'
firewall.@redirect[5].dest_port='8883'
firewall.@redirect[5].name='MQTT-over-SMTPS'
firewall.@redirect[6]=redirect
firewall.@redirect[6].enabled='1'
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src_dport='587'
firewall.@redirect[6].dest_ip='10.165.17.1'
firewall.@redirect[6].dest_port='587'
firewall.@redirect[6].name='Submission'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='443'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='HTTPS IPv6'
firewall.@rule[12]=rule
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='tcp'
firewall.@rule[12].dest='lan'
firewall.@rule[12].dest_port='993'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].name='IMAPS IPv6'
firewall.@rule[13]=rule
firewall.@rule[13].src='wan'
firewall.@rule[13].proto='tcp'
firewall.@rule[13].dest='lan'
firewall.@rule[13].dest_port='587'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].name='Submission IPv6'
firewall.@rule[14]=rule
firewall.@rule[14].src='wan'
firewall.@rule[14].proto='tcp'
firewall.@rule[14].dest='lan'
firewall.@rule[14].dest_port='465'
firewall.@rule[14].family='ipv6'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].name='MQTT-over-SMTPS IPv6'
firewall.@rule[15]=rule
firewall.@rule[15].src='wan'
firewall.@rule[15].proto='tcp'
firewall.@rule[15].dest='lan'
firewall.@rule[15].dest_port='4190'
firewall.@rule[15].family='ipv6'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].name='Sieve IPv6'
firewall.@rule[16]=rule
firewall.@rule[16].src='wan'
firewall.@rule[16].proto='tcp udp'
firewall.@rule[16].dest='lan'
firewall.@rule[16].dest_port='8883'
firewall.@rule[16].family='ipv6'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].name='MQTT IPv6'
firewall.@rule[17]=rule
firewall.@rule[17].src='wan'
firewall.@rule[17].proto='tcp'
firewall.@rule[17].dest='lan'
firewall.@rule[17].dest_port='22'
firewall.@rule[17].family='ipv6'
firewall.@rule[17].target='ACCEPT'
firewall.@rule[17].name='SSH IPv6'
firewall.@rule[18]=rule
firewall.@rule[18].target='ACCEPT'
firewall.@rule[18].src='wan'
firewall.@rule[18].proto='udp'
firewall.@rule[18].name='OpenVPN'
firewall.@rule[18].dest_port='1194 1195'
firewall.@rule[19]=rule
firewall.@rule[19].target='ACCEPT'
firewall.@rule[19].src='wan'
firewall.@rule[19].dest='lan'
firewall.@rule[19].name='Ping To Network'
firewall.@rule[19].proto='icmp'
firewall.@rule[19].icmp_type='echo-request'
firewall.@rule[20]=rule
firewall.@rule[20].target='ACCEPT'
firewall.@rule[20].src='wan'
firewall.@rule[20].dest='lan'
firewall.@rule[20].dest_port='1883'
firewall.@rule[20].name='MQTT-To-BH'
firewall.@rule[20].dest_ip='192.168.3.1'
firewall.@rule[20].src_ip='10.165.40.0/24'
firewall.@rule[21]=rule
firewall.@rule[21].target='ACCEPT'
firewall.@rule[21].src='wan'
firewall.@rule[21].dest='lan'
firewall.@rule[21].name='iperf'
firewall.@rule[21].dest_port='5001'
firewall.@rule[22]=rule
firewall.@rule[22].target='ACCEPT'
firewall.@rule[22].src='wan'
firewall.@rule[22].dest='lan'
firewall.@rule[22].name='SSH-DMZ-toLAN'
firewall.@rule[22].proto='tcp'
firewall.@rule[22].src_ip='10.165.40.0/24'
firewall.@rule[22].dest_port='22'
firewall.@zone[2]=zone
firewall.@zone[2].name='Untrusted'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='Untrusted'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='Untrusted'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='Untrusted'
firewall.@forwarding[2].src='lan'
firewall.@rule[23]=rule
firewall.@rule[23].target='ACCEPT'
firewall.@rule[23].src='wan'
firewall.@rule[23].dest='Untrusted'
firewall.@rule[23].name='home-le2Untrusted'
firewall.@rule[23].proto='all'
firewall.@rule[23].src_ip='10.165.40.0/24'
firewall.@rule[24]=rule
firewall.@rule[24].target='ACCEPT'
firewall.@rule[24].dest='lan'
firewall.@rule[24].name='HTTP-home-le-toTradfriUK'
firewall.@rule[24].dest_ip='10.166.150.100'
firewall.@rule[24].src='*'
firewall.@rule[24].proto='tcp udp'
firewall.@rule[24].src_ip='10.165.40.0/24'
firewall.@rule[25]=rule
firewall.@rule[25].target='ACCEPT'
firewall.@rule[25].src='wan'
firewall.@rule[25].dest='lan'
firewall.@rule[25].proto='tcp'
firewall.@rule[25].dest_ip='10.164.16.22'
firewall.@rule[25].dest_port='25'
firewall.@rule[25].name='SMTP-DMZ-to-outpost1'
firewall.@rule[25].src_ip='10.165.40.0/24'
# Generated by ip6tables-save v1.4.21 on Wed Nov 25 22:41:45 2020
*mangle
:PREROUTING ACCEPT [1530878:883805216]
:INPUT ACCEPT [61197:4549614]
:FORWARD ACCEPT [1461735:877797290]
:OUTPUT ACCEPT [63549:5987092]
:POSTROUTING ACCEPT [1525159:883776093]
COMMIT
# Completed on Wed Nov 25 22:41:45 2020
# Generated by ip6tables-save v1.4.21 on Wed Nov 25 22:41:45 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Untrusted_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Untrusted_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Untrusted_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_Untrusted_dest_ACCEPT - [0:0]
:zone_Untrusted_forward - [0:0]
:zone_Untrusted_input - [0:0]
:zone_Untrusted_output - [0:0]
:zone_Untrusted_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-WWW" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A zone_Untrusted_dest_ACCEPT -o eth1.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_Untrusted_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_Untrusted_rule
-A zone_Untrusted_forward -m comment --comment "!fw3: forwarding Untrusted -> wan" -j zone_wan_dest_ACCEPT
-A zone_Untrusted_forward -m comment --comment "!fw3" -j zone_Untrusted_dest_ACCEPT
-A zone_Untrusted_input -m comment --comment "!fw3: user chain for input" -j input_Untrusted_rule
-A zone_Untrusted_input -m comment --comment "!fw3" -j zone_Untrusted_src_ACCEPT
-A zone_Untrusted_output -m comment --comment "!fw3: user chain for output" -j output_Untrusted_rule
-A zone_Untrusted_output -m comment --comment "!fw3" -j zone_Untrusted_dest_ACCEPT
-A zone_Untrusted_src_ACCEPT -i eth1.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> Untrusted" -j zone_Untrusted_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Submission IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 465 -m comment --comment "!fw3: MQTT-over-SMTPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 4190 -m comment --comment "!fw3: Sieve IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 8883 -m comment --comment "!fw3: MQTT IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 8883 -m comment --comment "!fw3: MQTT IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment "!fw3: Ping To Network" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: iperf" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 5001 -m comment --comment "!fw3: iperf" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1195 -m comment --comment "!fw3: OpenVPN" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 25 22:41:45 2020