Is there already a recommended IPv6 Firewall setup?
Solution 1:
The advice is largely unchanged from public-IPv4-subnet-behind-Firewall setups that we've had in the .EDU space since the beginning of the commercial Internet. Since early .EDU subnet allocations were rather generous (my old work has an IPv4 /16 allocation, and I know of another institution our size that has a /16 and another /18 for good measure) these institutions have deep experience protecting publicly routeable IP addresses behind firewalls. Heck, that setup was what the original IP creators had in mind.
The principles (from memory):
- Do not allow external access to internal IP addresses unless there is a specific business need (default deny).
- Allow ICMP to internal addresses as the IP protocols rely on it to determine network conditions.
- Ping-sweeps should be blocked by your IPS config.
- Keep in mind that just because a machine in ping-able, does not mean it is connectable!
- Reverse DNS lookups do matter for some use-cases, so be sure that they're working right.
A short list, I know. But the basic firewall principle going back 20 years is the same: allow access only to those IP:port combinations you want to permit, deny everything else.
Solution 2:
If your rules hitherto consisted of "only traffic initiated internally" (NAT) with some exceptions for published services (port forwarding), you can stick to that and simply transfer it to IPv6.
You will have additional implications with the tunneling and encryption capabilities that come with v6 which you will want to address, but in general, everything that applied to v4 does still apply to v6. Recommended reading: Building Internet Firewalls (Zwicky, Cooper, Chapman).
Solution 3:
In addition to the answers here, you should check out RFC 4890 which outlines a lot of the information you need to understand about ICMP6 through firewalls. Also see Google's IPv6 Info Center