One of the biggest issues with enabling IPv6, is that it has the potential to expose client machines to malicious traffic. The easiest way to give yourself a little bit of extra protection while still allowing full outside connectivity without resorting to IPv6 NAT (shudders), is to block all incoming connections while still allowing all outbound.
set firewall ipv6-name Internet-To-LAN default-action drop set firewall ipv6-name Internet-To-LAN description 'Internet to LAN' set firewall ipv6-name Internet-To-LAN rule 1 action accept set firewall ipv6-name Internet-To-LAN rule 1 description 'Drop Incoming IPv6 unless related' set firewall ipv6-name Internet-To-LAN rule 1 state established enable set firewall ipv6-name Internet-To-LAN rule 1 state related enable set firewall ipv6-name Internet-To-LAN rule 2 action drop set firewall ipv6-name Internet-To-LAN rule 2 state invalid enable
set firewall ipv6-name LAN-To-Internet default-action accept set firewall ipv6-name LAN-To-Internet description 'LAN to Internet' set firewall ipv6-name LAN-To-Internet rule 1 action accept set firewall ipv6-name LAN-To-Internet rule 1 state established enable set firewall ipv6-name LAN-To-Internet rule 1 state related enable set firewall ipv6-name LAN-To-Internet rule 2 action drop set firewall ipv6-name LAN-To-Internet rule 2 state invalid enable
# Bind LAN-To-Internet rule to LAN interface 'in' set interfaces ethernet eth1 firewall in ipv6-name LAN-To-Internet # Bind Internet-To-LAN rule to IPv6 WAN interface 'in' set interfaces tunnel tun0 firewall in ipv6-name Internet-To-LAN