(2) So then I created a firewall-start script that looks like this (copied from one of Merlins scripts):
#!/bin/sh
ip6tables -A INPUT -j DROP
ip6tables -I FORWARD 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
ip6tables -A FORWARD -i br0 -o any -p all -j ACCEPT
ip6tables -A FORWARD -i br0 -o eth0 -p all -j ACCEPT
ip6tables -A FORWARD -i any -o br0 -p all -j ACCEPT
ip6tables -A FORWARD -j DROP
When I put these rules in my firewall-start script, I was no longer able to use IPv6...that is, web sites that I was previously using IPv6 to visit (google, yahoo, facebook) reverted to IPv4. So this set of rules apparently effectively blocks IPv6 for me.
Not sure how to debug these rules.