I'm going to hardcode following ipv6 firewall rules into rc:
Code:
# Disable processing of any RH0 packet
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -t filter -i lo -j ACCEPT
ip6tables -A OUTPUT -t filter -o lo -j ACCEPT
ip6tables -A FORWARD -t filter -o lo -j ACCEPT
ip6tables -A OUTPUT -o sixtun -j ACCEPT
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow ICMP (conditional?)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
kamil - is it OK for the first step?