Suggested ipv6 firewall settings

I have a tunnel setup to an ipv6 provider, Hurricane Electric, using the router on my LAN. On the same LAN are two Mac Minis running Snow Leopard Server. Each of the Mac Minis have two network interfaces, one to the LAN whith the IPv6 tunnel and one to my ISP with a routable IPv4 address. NAT is not enabled on either of the Mac Minis and the Firewall is active on both Mac Minis.

With the Firewall active, all IPv6 traffic to the router is blocked, even though the Minis have auto-assigned IPv6 addresses. If I turn off the firewall IPv6 connections work just fine through the router tunnel. Obviously, I can't run without a firewall present.

Has anyone developed a recommended set of IPv6 firewall rules for this situation? I would like to allow ALL ipv6 traffic to and from the router on the LAN and use the firewall in the router to control IPv6 traffic that enters via the tunnel.

The default IPv6 firewall rules are:

00001 allow ucp from any to any 626

01000 allow ipv6 from any to any via lo0

01100 allow ipv6 from any to ff02::/16

65000 deny ipv6 from any to any

65535 allow ipv6 from any to any

Is the best practice to delete rule 65000, deny ipv6 from any to any

and not do anything else?

There is a lot of ipv6 theory on the web but not much written about best practices for implementing ipv6 on Snow Leopard Server.

Since Server Admin's Firewall interface doesn't show any of the ipv6 settings, is WaterRoof the best tool to use for a GUI interface?