Page 1 of 1

IPv6 Rules not added to ip6tables

Posted: 20 Jun 2022, 05:25
by WebDevelopmentM4DC
Hi,

I have been going blind on trying to debug why I cannot accept incoming connections on any services via IPv6, even though I can ping fine.

After checking the ip6tables configuration I noticed that the rules are not being added, well at least in Webmin. I am very confused, let me explain why:

- In Webmin -> Linux Firewall I can see all sort of rules being added which reflects what's in CSF


- In Webmin -> Linux IPv6 Firewall I can only see a couple rules added which explains why connections are being rejected

Image

- If I manually check ip6tables -S the output does not match what's shown in Webmin, and if it was IPv6 would work (I assume)

Code: Select all

[root@ws1 ~]# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGDROPIN
-N LOGDROPOUT
-N DENYIN
-N DENYOUT
-N ALLOWIN
-N ALLOWOUT
-N LOCALINPUT
-N LOCALOUTPUT
-N INVDROP
-N INVALID
-N SMTPOUTPUT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1122 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 7080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8088 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 10000 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p ipv6-icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1122 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 7080 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8088 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 10000 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A LOGDROPIN -p tcp -m tcp --dport 23 -j DROP
-A LOGDROPIN -p udp -m udp --dport 23 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP6IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP6IN Blocked* "
-A LOGDROPIN -p ipv6-icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP6IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP6OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP6OUT Blocked* " --log-uid
-A LOGDROPOUT -p ipv6-icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP6OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp6-port-unreachable
-A DENYIN -m set --match-set chain_6_DENY src -j DROP
-A DENYOUT -m set --match-set chain_6_DENY dst -j LOGDROPOUT
-A ALLOWIN -s 2c0f:f248::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2a06:98c0::/29 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2405:8100::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2405:b500::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2803:f800::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2606:4700::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2400:cb00::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2c0f:f248::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2a06:98c0::/29 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2405:8100::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2405:b500::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2803:f800::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2606:4700::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2400:cb00::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -m set --match-set chain_6_ALLOW src -j ACCEPT
-A ALLOWOUT -m set --match-set chain_6_ALLOW dst -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
  • I`m running Alma Linux 8 -> CL 8: Linux ... 4.18.0-372.9.1.1.lve.el8.x86_64
    Checked OS Settings path for IPV6 and they are OK
    Tried a complete reinstall of CSF with no effect
Clearly there is a bug happening somewhere.. can you please help me? I need IPv6 to work with the services.

Many thanks

Re: IPv6 Rules not added to ip6tables

Posted: 21 Jun 2022, 15:37
by WebDevelopmentM4DC
The current versions of iptables:

iptables v1.8.4 (nf_tables)
ip6tables v1.8.4 (nf_tables)

Re: IPv6 Rules not added to ip6tables

Posted: 23 Jun 2022, 04:24
by WebDevelopmentM4DC
This is the DEBUG log from CSF:

Code: Select all

debug[868]: Command:/usr/sbin/iptables -v --policy INPUT ACCEPT
debug[869]: Command:/usr/sbin/iptables -v --policy OUTPUT ACCEPT
debug[870]: Command:/usr/sbin/iptables -v --policy FORWARD ACCEPT
debug[871]: Command:/usr/sbin/iptables -v --flush
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `SMTPOUTPUT'
debug[872]: Command:/usr/sbin/iptables -v --delete-chain
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `SMTPOUTPUT'
debug[874]: Command:/usr/sbin/iptables -v -t nat --flush
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
debug[875]: Command:/usr/sbin/iptables -v -t nat --delete-chain
debug[878]: Command:/usr/sbin/iptables -v -t raw --flush
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
debug[879]: Command:/usr/sbin/iptables -v -t raw --delete-chain
debug[882]: Command:/usr/sbin/iptables -v -t mangle --flush
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
debug[883]: Command:/usr/sbin/iptables -v -t mangle --delete-chain
debug[887]: Command:/usr/sbin/ip6tables -v --policy INPUT ACCEPT
debug[888]: Command:/usr/sbin/ip6tables -v --policy OUTPUT ACCEPT
debug[889]: Command:/usr/sbin/ip6tables -v --policy FORWARD ACCEPT
debug[890]: Command:/usr/sbin/ip6tables -v --flush
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `SMTPOUTPUT'
debug[891]: Command:/usr/sbin/ip6tables -v --delete-chain
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `SMTPOUTPUT'
debug[893]: Command:/usr/sbin/ip6tables -v -t nat --flush
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
debug[894]: Command:/usr/sbin/ip6tables -v -t nat --delete-chain
debug[897]: Command:/usr/sbin/ip6tables -v -t raw --flush
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
debug[898]: Command:/usr/sbin/ip6tables -v -t raw --delete-chain
debug[901]: Command:/usr/sbin/ip6tables -v -t mangle --flush
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
debug[902]: Command:/usr/sbin/ip6tables -v -t mangle --delete-chain
debug[906]: Command:/usr/sbin/ipset flush
debug[907]: Command:/usr/sbin/ipset destroy
debug[1048]: Command:/usr/sbin/iptables  -v -N LOGDROPIN
debug[1049]: Command:/usr/sbin/iptables  -v -N LOGDROPOUT
debug[1050]: Command:/usr/sbin/iptables  -v -N DENYIN
debug[1051]: Command:/usr/sbin/iptables  -v -N DENYOUT
debug[1052]: Command:/usr/sbin/iptables  -v -N ALLOWIN
debug[1053]: Command:/usr/sbin/iptables  -v -N ALLOWOUT
debug[1054]: Command:/usr/sbin/iptables  -v -N LOCALINPUT
debug[1055]: Command:/usr/sbin/iptables  -v -N LOCALOUTPUT
debug[1057]: Command:/usr/sbin/ip6tables  -v -N LOGDROPIN
debug[1058]: Command:/usr/sbin/ip6tables  -v -N LOGDROPOUT
debug[1059]: Command:/usr/sbin/ip6tables  -v -N DENYIN
debug[1060]: Command:/usr/sbin/ip6tables  -v -N DENYOUT
debug[1061]: Command:/usr/sbin/ip6tables  -v -N ALLOWIN
debug[1062]: Command:/usr/sbin/ip6tables  -v -N ALLOWOUT
debug[1063]: Command:/usr/sbin/ip6tables  -v -N LOCALINPUT
debug[1064]: Command:/usr/sbin/ip6tables  -v -N LOCALOUTPUT
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
debug[1085]: Command:/usr/sbin/iptables  -v -A LOGDROPIN -p tcp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
debug[1086]: Command:/usr/sbin/iptables  -v -A LOGDROPOUT -p tcp --syn -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *TCP_OUT Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
debug[1087]: Command:/usr/sbin/iptables  -v -A LOGDROPIN -p udp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
debug[1088]: Command:/usr/sbin/iptables  -v -A LOGDROPOUT -p udp -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *UDP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
debug[1089]: Command:/usr/sbin/iptables  -v -A LOGDROPIN -p icmp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
debug[1090]: Command:/usr/sbin/iptables  -v -A LOGDROPOUT -p icmp -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *ICMP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
debug[1092]: Command:/usr/sbin/ip6tables  -v -A LOGDROPIN -p tcp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP6IN Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
debug[1093]: Command:/usr/sbin/ip6tables  -v -A LOGDROPOUT -p tcp --syn -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *TCP6OUT Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
debug[1094]: Command:/usr/sbin/ip6tables  -v -A LOGDROPIN -p udp  -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP6IN Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
debug[1095]: Command:/usr/sbin/ip6tables  -v -A LOGDROPOUT -p udp -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *UDP6OUT Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
debug[1096]: Command:/usr/sbin/ip6tables  -v -A LOGDROPIN -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP6IN Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
debug[1097]: Command:/usr/sbin/ip6tables  -v -A LOGDROPOUT -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j LOG --log-uid --log-prefix 'Firewall: *ICMP6OUT Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
debug[1116]: Command:/usr/sbin/iptables  -v -A LOGDROPIN -j DROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1117]: Command:/usr/sbin/iptables  -v -A LOGDROPOUT -j REJECT
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
debug[1119]: Command:/usr/sbin/ip6tables  -v -A LOGDROPIN -j DROP
DROP  all opt    in * out *  ::/0  -> ::/0  
debug[1120]: Command:/usr/sbin/ip6tables  -v -A LOGDROPOUT -j REJECT
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
debug[1123]: Command:/usr/sbin/iptables  -v -A LOCALOUTPUT ! -o lo -j DENYOUT
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1124]: Command:/usr/sbin/iptables  -v -A LOCALINPUT ! -i lo -j DENYIN
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1125]: Command:/usr/sbin/iptables  -v -I LOCALOUTPUT ! -o lo -j ALLOWOUT
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1126]: Command:/usr/sbin/iptables  -v -I LOCALINPUT ! -i lo -j ALLOWIN
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1128]: Command:/usr/sbin/ip6tables  -v -A LOCALOUTPUT ! -o lo -j DENYOUT
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0  
debug[1129]: Command:/usr/sbin/ip6tables  -v -A LOCALINPUT ! -i lo -j DENYIN
DENYIN  all opt    in !lo out *  ::/0  -> ::/0  
debug[1130]: Command:/usr/sbin/ip6tables  -v -I LOCALOUTPUT ! -o lo -j ALLOWOUT
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0  
debug[1131]: Command:/usr/sbin/ip6tables  -v -I LOCALINPUT ! -i lo -j ALLOWIN
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
debug[2946]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
debug[2947]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -p icmp --icmp-type echo-request -j LOGDROPIN
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8
debug[2955]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -p icmp -j ACCEPT
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[2968]: Command:/usr/sbin/iptables  -v -A OUTPUT ! -o lo -p icmp -j ACCEPT
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[2972]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 1
debug[2973]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 2
debug[2974]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 3
debug[2975]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 4
debug[2976]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 128
debug[2977]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 129
debug[2978]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 134 HL match HL == 255
debug[2979]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 135 HL match HL == 255
debug[2980]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 136 HL match HL == 255
debug[2981]: Command:/usr/sbin/ip6tables  -v  -A INPUT ! -i lo -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0   ipv6-icmptype 137 HL match HL == 255
debug[2986]: Command:/usr/sbin/ip6tables  -v  -A OUTPUT ! -o lo -p icmpv6 -j ACCEPT
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0  
debug[3013]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -p udp -m udp --dport 32768:61000 -j ACCEPT
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   udp dpts:32768:61000
debug[3014]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpts:32768:61000 flags:!0x17/0x02
debug[3027]: Command:/usr/sbin/ip6tables  -v -A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
debug[3028]: Command:/usr/sbin/ip6tables  -v -A OUTPUT ! -o lo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
debug[1153]: Command:/usr/sbin/iptables  -v -I INPUT  -i lo -j ACCEPT
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1154]: Command:/usr/sbin/iptables  -v -I OUTPUT -o lo -j ACCEPT
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1155]: Command:/usr/sbin/iptables  -v -A OUTPUT ! -o lo -j ACCEPT
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1156]: Command:/usr/sbin/iptables  -v -A OUTPUT ! -o lo -j LOGDROPOUT
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1157]: Command:/usr/sbin/iptables  -v -A INPUT ! -i lo -j LOGDROPIN
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1159]: Command:/usr/sbin/ip6tables  -v -I INPUT  -i lo -j ACCEPT
ACCEPT  all opt    in lo out *  ::/0  -> ::/0  
debug[1160]: Command:/usr/sbin/ip6tables  -v -I OUTPUT -o lo -j ACCEPT
ACCEPT  all opt    in * out lo  ::/0  -> ::/0  
debug[1162]: Command:/usr/sbin/ip6tables  -v -A OUTPUT ! -o lo -j LOGDROPOUT
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0  
debug[1163]: Command:/usr/sbin/ip6tables  -v -A INPUT ! -i lo -j LOGDROPIN
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
debug[1167]: Command:/usr/sbin/iptables  -v -N SMTPOUTPUT
debug[1168]: Command:/usr/sbin/iptables  -v -I OUTPUT -j SMTPOUTPUT
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1170]: Command:/usr/sbin/ip6tables  -v -N SMTPOUTPUT
debug[1171]: Command:/usr/sbin/ip6tables  -v -I OUTPUT -j SMTPOUTPUT
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0  
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
debug[1347]: Command:/usr/sbin/iptables  -v -I OUTPUT 9 ! -o lo -j LOCALOUTPUT
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
debug[1348]: Command:/usr/sbin/iptables  -v -I INPUT 9 ! -i lo -j LOCALINPUT
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
debug[1350]: Command:/usr/sbin/ip6tables  -v -I OUTPUT 1 ! -o lo -j LOCALOUTPUT
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
debug[1351]: Command:/usr/sbin/ip6tables  -v -I INPUT 1 ! -i lo -j LOCALINPUT
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
debug[1370]: Command:/usr/sbin/iptables  -v --policy INPUT   DROP
debug[1371]: Command:/usr/sbin/iptables  -v --policy OUTPUT  DROP
debug[1372]: Command:/usr/sbin/iptables  -v --policy FORWARD DROP
debug[1374]: Command:/usr/sbin/ip6tables  -v --policy INPUT   DROP
debug[1375]: Command:/usr/sbin/ip6tables  -v --policy OUTPUT  DROP
debug[1376]: Command:/usr/sbin/ip6tables  -v --policy FORWARD DROP
Now, I`m hardly an expert in "iptables"... but the last log lines suggest CSF is dropping all policies/rules from ip6tables.

Could this be the root cause?