On Mon, Jul 13, 2015 at 03:12:50PM -0300, Giancarlo Razzolini wrote: > The client doesn't need inbound UDP ports to be open. The OpenBSD > firewall do, if you're using DHCPv6 to configure it. If using SLAAC, > only RS and RA icmp messages are needed. Since stateless configuration > is done using multicast (ff02) and link-local (fe80) addresses, no > need to worry. You can even make a rule allowing only your CPE > link-local, if you want.
I stand corrected. I just disabled all of my IPv6-related pf exceptions and it still works. I must have inadvertantly fixed something else when I added them. > You don't need DHCPv6. I use stateless both for my firewall getting > it's IPv6 address from the CPE and for it advertising the prefix on > the internal network. Most modern systems can configure the dns using > stateless configuration. So only a subset of ICMPv6 messages need to > be allowed both on the router and clients. Also correct. I just checked, and Comcast home routers let you choose between stateless and stateful IPv6 config in their control panel. Sorry for the noise, Michael