Once upon a time, Kenneth Porter shiva@sewingwitch.com said:
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
Anything that's already working through IPv4 NAT should work just fine through IPv6 with connection tracking.
IPv4 NAT is a stateful, connection tracking, packet mangling firewall. With IPv6, you can just do the same thing without the packet mangling misfeatures of NAT, with just connection tracking.
But don't go blocking ICMP - doing that in IPv4 already can break things, and it can break even more things in IPv6.