I finally got an ISP connection with working IPv6 and now I need to add firewall rules for forwarding connections from my LAN to the WAN. I'm using firewalld to handle the high-level description that gets translated to iptables/ip6tables on CentOS 7. Of course, with IPv6, one doesn't do NAT, so the usual masquerade target doesn't make sense. But I want similar connection logic, with no inbound connections allowed to LAN clients and all outbound connections allowed. How does one express this in either firewalld or its ip6tables "direct rules"? I don't currently need port-forwarding to internal servers but, for completeness, what would such rules look like?