I've attempted to basically copy the default IPv4 firewall configuration, making changes where it makes sense. Here's what I came up with:
# jun/07/2011 10:09:24 by RouterOS 5.4
# software id = XDDH-ZK31
#
/ipv6 firewall filter
add action=accept chain=input disabled=no protocol=icmpv6
add action=accept chain=input connection-state=established disabled=no \
in-interface=sit1
add action=accept chain=input connection-state=related disabled=no \
in-interface=sit1
add action=accept chain=input comment="SSH inbound" disabled=no dst-port=22 \
in-interface=sit1 protocol=tcp
add action=reject chain=input disabled=no in-interface=sit1 reject-with=\
icmp-address-unreachable
The problem is that the reject rule never sees any traffic. In fact, the SSH inbound rule never does either. The only stats counters that increment are for ICMPv6 and 'established'.
Interface 'sit1' is the "6to4" (it's actually 6in4, btw. - 6to4 is the 2002:: net) tunnel to tunnelbroker.
oh, by the way, I also wonder how the tunneled IPv6 traffic is actually getting in in the first place. The ipv4 firewall has no rules to pass proto 41.
# jun/07/2011 10:16:17 by RouterOS 5.4
# software id = XDDH-ZK31
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=L2TP disabled=no dst-port=500 \
in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=4500 in-interface=\
ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
ether1-gateway protocol=udp
add action=accept chain=input disabled=no in-interface=ether1-gateway \
protocol=ipsec-esp
add action=accept chain=input comment="SSH to routerboard" disabled=no \
dst-address=[routerboard] dst-port=22 protocol=tcp
add action=reject chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway reject-with=icmp-port-unreachable
/ip firewall mangle
add action=mark-packet chain=forward disabled=no new-packet-mark=voip \
passthrough=no src-mac-address=[voip box 1 mac]
add action=mark-packet chain=forward disabled=no new-packet-mark=voip \
passthrough=no src-mac-address=[voip box 2 mac]
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=[super secret] protocol=tcp \
to-addresses=[server host] to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=[super secret] protocol=tcp \
to-addresses=[routerboard] to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no