MT IPv6 default firewall

1. /ipv6 firewall {
2. address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
3. address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
4. address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
5. address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
6. address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
7. address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
8. address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
9. address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
10. address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
11. address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
12. address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
13. address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
14. address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
15. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
16. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
17. filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
18. filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
19. filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."
20. filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
21. filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
22. filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
23. filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
24. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
25. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
26. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
27. filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
28. filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
29. filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
30. filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
31. filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
32. filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
33. filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
34. filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
35. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
36. filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
37. }