====== Protect IPv6 Enabled Client Machines From Unsolicited Internet Traffic ======

One of the biggest issues with enabling IPv6, is that it has the potential to expose client machines to malicious traffic.  The easiest way to give yourself a little bit of extra protection while still allowing full outside connectivity without resorting to IPv6 NAT (**shudders**), is to block all incoming connections while still allowing all outbound.


    set firewall ipv6-name Internet-To-LAN default-action drop
    set firewall ipv6-name Internet-To-LAN description 'Internet to LAN'
    set firewall ipv6-name Internet-To-LAN rule 1 action accept
    set firewall ipv6-name Internet-To-LAN rule 1 description 'Drop Incoming IPv6 unless related'
    set firewall ipv6-name Internet-To-LAN rule 1 state established enable
    set firewall ipv6-name Internet-To-LAN rule 1 state related enable
    set firewall ipv6-name Internet-To-LAN rule 2 action drop
    set firewall ipv6-name Internet-To-LAN rule 2 state invalid enable


    set firewall ipv6-name LAN-To-Internet default-action accept
    set firewall ipv6-name LAN-To-Internet description 'LAN to Internet'
    set firewall ipv6-name LAN-To-Internet rule 1 action accept
    set firewall ipv6-name LAN-To-Internet rule 1 state established enable
    set firewall ipv6-name LAN-To-Internet rule 1 state related enable
    set firewall ipv6-name LAN-To-Internet rule 2 action drop
    set firewall ipv6-name LAN-To-Internet rule 2 state invalid enable

    # Bind LAN-To-Internet rule to LAN interface 'in'
    set interfaces ethernet eth1 firewall in ipv6-name LAN-To-Internet
    # Bind Internet-To-LAN rule to IPv6 WAN interface 'in'
    set interfaces tunnel tun0 firewall in ipv6-name Internet-To-LAN