MvV>> Any decent IPv6 capable router should have a firewall that MvV>> blocks all unsollicited incoming IPv6 packets by default, but MvV>> allows to "punch holes" depending on port numbers and MvV>> destination on the LAN.
TL> This is how my Fritzbox works. Confusingly, the call it "port TL> forwarding" (under the IPv6 tab), but it's actually a packet filter.
This confusing way of presenting the IPv6 firewall options seems to be common among router manufacturers. I have a combined Cable modem + router from Cisco. There is a tab "security" with a subtab for "firewall". That allows for enabling or disabeling the IPv6 firewall. Also enabling things like enabeling port scan detection, amd flood detection.
In a completely dirfferent part there is a tab "Applications and gaming" there is a section "Port Range Frowarding". IPv4 and IPv6 are covered in one and the same section. You choose and external port range (start port and end port) an internal IP adress, the IP type, internal port range and protocol (TCP/UDP/Both).
For IPv4 it is old hat. But when you change the IP type there are two other choices, IPv6 or MACv6. If you choose one of these the boxes for the external port range gray out. You can only enter an internal port range. That one can not eneter both an external and an internal port range makes sense, there is no port /translation/. But it is confusing at first because the external port range is the two most left boxes, which one naturally would try to enter first.
The internal IPv6 address defaults to ::. Which in a way also makes sense. Interesting is the option "MACV6". Instead of the IPv6 addres, one enters the MAC addres of the interface. Usefull if one does not hava a static IPv6 prefix. Then you do not have to change the table every time the IPv6 prefix changes.
I can understand why they do it this way, but I find it undesirable from an edecucational POV. While it hase the same goal: having an uncoming packet reach its inteded destination, the mechanism is completely different. As you say for IPv6 it is not NAPT, it is a packet filter.
TL> There are options to allow TCP and/or UDP ports, or you can expose the TL> host completely if you prefer (i.e. disable all inbound filtering for TL> that particular IP). I have a handful of exposed Linux hosts, and for TL> this Windows machine, only a couple of ports (telnet, rlogin and SSH) TL> that were used for testing are unfiltered. By default, out of the TL> factory, all inbound IPv6 traffic is blocked, which is the most TL> sensible default.
Same with my router.
What is a bit unclear is how it deals wikt ICMP. There is an option in the firewal setting "block anonymous internet requests". It is unclear if it applies to both IPv4 and IPv6 or to both. It is activated by default. By default it rejects PING. So I have deactivated it and now all IPv6 devices on the LAN are pinagble. It has no way to be more specific, so I assume all ICMP is allowed.
