Thank you for all the help. I've created a new ruleset which I hope
is ok.
# macros
int_if = "em0"
# tables
# options
set block-policy return
# scrub
scrub all
# filter rules
block log inet6 all
pass quick on lo0 inet6 all
pass in quick on gif0 inet6 proto icmp6 icmp6-type echoreq keep state
pass in on $int_if inet6 proto icmp6
pass out on $int_if inet6 proto icmp6
pass out inet6 keep state
pass in on $int_if inet6 proto { tcp, udp } from 2001:6f8:XXXX:1::/48
to self port 22 flags S/SA keep state
pass in on $int_if inet6 proto { tcp, udp } from 2001:6f8:XXXX:1::/48
to any flags S/SA keep state
This ruleset is for a IPv6-gateway which should only block IPv6
traffic. The last two rules are for the internal network. So the
internal network can connect to the ssh daemon and initiate
connections to the world through the gateway.
- Stefan
