diff --git a/Shorewall/action.A_Drop b/Shorewall/action.A_Drop
index 5ba82d8ce..0b65a38a3 100644
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -23,14 +23,17 @@ COUNT
 #
 Auth(A_DROP)
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
diff --git a/Shorewall/action.A_Reject b/Shorewall/action.A_Reject
index a5f4611aa..b371e5231 100644
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -18,15 +18,18 @@
 #
 COUNT
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).