2013-08-20 Correctly firewalling IPv6 was a bit of ... 5 years ago
Correctly firewalling IPv6 was a bit of a search for me but I think I managed it. There is a bit of an apparent contradiction: filtering too much ipv6-icmp will break things, and allowing it too much will allow a neighbour cache overflow attack. In the end I settled on allowing ipv6-icmp in the INPUT ip6tables rule but not on the FORWARD ip6tables rule. Both rules do have a rule for ESTABLISHED,RELATED traffic. This all for the external interface(s), internal interfaces are trusted. I tested this with nmap from an external ipv6-enabled host and found out there is no way to input ipv6 address ranges. So to scan a number of addresses I had to type them all in full.