Ah, progress! If the policy is changed to accept, things work. Also, if it is kept as drop, but the input ICMP rule is copied to output, things work. Is this a sensible rule? icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept On 08/10/2024 21:28, Kevin P. Fleming wrote: > On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote: >> chain output { >> type filter hook output priority filter; policy drop; >> ct state { established, related } accept >> ip protocol icmp icmp type echo-request accept >> ip protocol icmp icmp type echo-request ip daddr >> 127.0.0.1 accept >> icmpv6 type echo-request accept >> ip protocol { tcp, udp } th dport 53 accept >> tcp dport 123 accept >> tcp dport { 80, 443 } accept >> tcp dport { 25, 465, 587, 993, 995, 4190 } accept >> } > What happens if you change this policy to 'accept', and make no other changes? > > At a minimum, you aren't allowing outbound IPv6 ICMP ND packets, which are required for finding other hosts (analogous to IPv4 ARP). >