Firewall fiasco
oidentd and port 113
"oidentd" won't authenticate a proper mask without opening port 113 on whatever firewall application you're using to manage connections. This is especially obvious if you use ZNC and you desire to allow such identification authentication.
Solution
Open up port 113 through your firewall. Here's an example with IPTables:
iptables -t filter -I INPUT -p 113 -j ACCEPT
iptables -t filter -I OUTPUT -p 113 -j ACCEPT
Good luck!
IPv6 TUN issue
Unblocking Protocol 41 generally works to bypass firewall restrictions for IPv6 tunnel traffic. Sometimes this is not the case with CSF, even if you specify in the TCP_IN section port "41". Instead, the IPv6 connection will generally hang after a short period of time when establishing a connection to the firewall.
Solution
Simply go to /etc/csf/csfpre.sh (or create it if it doesn't already exist), and add the following:
# Protocol 41 for Hurricane Electric Tunnelbroker
iptables -t filter -I INPUT -p 41 -j ACCEPT
iptables -t filter -I OUTPUT -p 41 -j ACCEPT
CSF will run this script at the end of applying all other rules. It simply applies the policy which protocol 41 is whitelisted inbound/outbound in its entirety.
Even if you're not running CSF, the general rule applies in this instance.