Below you will find an example ruleset for your IPv6 firewall, which you can use as a baseline. Replace the <2001:db8> with you own IPv6 network address.
remark reject multicast addresses
deny ipv6 ff00::/16 any log
deny ipv6 any ff05::/16 log
remark reject site-local and ipv4-compatibility addresses
deny ipv6 fc00::/10 any log
deny ipv6 any fc00::/10 log
deny ipv6 0::/96 any log
deny ipv6 any 0::/96 log
remark reject 6to4 destination (if not providing 6to4 relays)
deny ipv6 any 2002::/16 log
remark reject external traffic with internal source addr
deny ipv6 2001:db8:60::/44 any log
remark reject unique local, should be confined our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log
remark reject type 0 routing header
deny ipv6 any any routing-type 0 log
remark allow incoming connections to specific servers (<replace>)
permit tcp any host <2001:db8:60::80> eq www
permit tcp any host <2001:db8:60::25> eq smtp
permit udp any host <2001:db8:60::53> eq domain
remark allow BGP sessions either way for external BGP peer
permit tcp host <2001:db8:2::1> host <2001:db8:2::2> eq bgp
permit tcp host <2001:db8:2::1> eq bgp host <2001:db8:2::2>
remark allow incoming TCP on non-reserved ports
permit tcp any <2001:db8:60::/44> range 1024 65535
remark allow responses to outgoing DNS back to any host
permit udp any eq domain <2001:db8:60::/44>
remark allow IPSec and IKE between North and Remote
permit udp host <2001:db8:2f::2> eq 500 host <2001:db8:6f::2> eq 500
permit esp host <2001:db8:2f::2> host <2001:db8:6f::2>
remark allow UDP to non-reserved ports with destination of our net or global multicast
permit udp any <2001:db8:60::/44> gt 1023
permit udp any ffe0::/12 gt 1023
remark allow specific ICMP types inbound to global addresses
permit icmp any <2001:db8:60::/44> destination-unreachable
permit icmp any <2001:db8:60::/44> packet-too-big
permit icmp any <2001:db8:60::/44> parameter-problem
permit icmp any <2001:db8:60::/44 > echo-reply
remark allow ping from our partners at remote site
permit icmp <2001:db8:20::/44> <2001:db8:60::/44> echo-request
remark allow ND and MLD ICMP types generally, but not RD
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any mld-query
permit icmp any any mld-redunction
remark allow tunnel traffic only to North and Central routers
permit 41 any host <2001:db8:6f::2>
permit 41 any host <2001:db8:60::f14b:65a1>
remark reject everything else
deny ipv6 any any log
remark reject multicast source addresses
deny ipv6 ff00::/16 any log
remark reject site-local and ipv4-compatibility addresses
deny ipv6 fc00::/10 any log
deny ipv6 any fc00::/10 log
deny ipv6 0::/96 any log
deny ipv6 any 0::/96 log
remark reject unique local, should not exit our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log
remark reject type 0 routing header
deny ipv6 any any routing-type 0 log
remark allow outbound TCP from specific servers
permit tcp host <2001:db8:60::80> eq www 2000::/3
permit tcp host <2001:db8:60::80> eq 443 2000::/3
permit tcp host <2001:db8:60::25> eq smtp 2000::/3
remark allow outbound TCP from non-reserved ports
permit tcp <2001:db8:60::/44> gt 1023 2000::/3
remark allow BGP sessions either way for our BGP
peer permit tcp host <2001:db8:6f::2> eq bgp host <2001:db8:6f::1>
permit tcp host <2001:db8:6f::2> host <2001:db8:6f::1> eq bgp
remark allow UDP to valid addresses and global multicast
permit udp <2001:db8:60::/44> 2000::/3
permit udp <2001:db8:60::/44> ffe0::/12
remark allow specific ICMP messages out to everywhere
permit icmp <2001:db8:60::/44> 2000::/3 packet-too-big
permit icmp <2001:db8:60::/44> 2000::/3 parameter-problem
permit icmp <2001:db8:60::/44> 2000::/3 echo-request
remark allow some ICMP just to our partners at remote site
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> destination-unreachable
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> echo-reply
remark allow tunnels only from North and Central routers
permit 41 host <2001:db8:6f::2> any
permit 41 host <2001:db8:60::f14b:65a1> any
remark deny everything else
deny ipv6 any any log
Loading ...
