The cron task that adds a few ipv6 rules at reboot for babeld/re6stnet is a time bomb. If someone has a firewall, updates its conf and restarts it instead of rebooting, the result is likely to be wrong with consequences like:
- no more access to the machine (if re6stnet was used to access it)
- machine acting like a blackhole (INPUT rules still there but FORWARD back to DROP)
Someone who sets up a firewall must understand things a minimum and configure it himself for re6stnet. ipv4 rules are anyway required. Maybe that's what happened on server managed by @romain, where there were only 2 tunnels with outside because the openvpn server was firewalled.
@vpelletier had the idea to document in re6stnet how to configure shorewall. We should finish this.
The playbook could also issue a warning in the case that there's a firewall. Maybe you have better ideas about how to draw attention.