In the current [url=https://www.sixxs.net/faq/connectivity/?faq=firewalled]FAQ on firewalls/NAT[/url], it specifies that UDP 3740 (for heartbeat) need only be open for outgoing traffic. However, there is no similar qualification that outgoing traffic only need be open for UDP 5072 (AYIYA) nor TCP 3874 (TIC), although the text ambiguously implies ("no problem/no issue") that such is the case. Similarly, the entry for Protocol 41 (IPv6 over IPv4/6in4 tunnel) says that one "must" setup the tunnel recipient host as a DMZ host, whereas [url=https://www.sixxs.net/faq/connectivity/?faq=conntracking]elsewhere in the FAQ[/url] more specific/less inclusive firewall rules are prescribed. Can someone confirm that these specific firewall rules are indeed (and only) required: For all tunnels: TIC: TCP 3874 -- open outbound to TIC server (e.g tic.sixxs.net) only For static and dynamic/heartbeat tunnels: IPv6 over IPv4/6in4 tunnel: protocol 41-- open/forward/bypass-NAT inbound to tunnel host from PoP For dynamic/heartbeat tunnels: Heartbeat: UDP 3740 -- open outbound to PoP only For AYIYA tunnels: AYIYA: UDP 5072 -- open outbound to PoP only