I'd like to switch from private-IPv4-subnet-behind-NAT to IPv6, but of course I have no intention of exposing my users' workstations "unprotected" to the net.
Some obvious points up-front:
- Allow access to provided services
- Deny access to workstations
Is there a recommended firewall setup guideline that talks about the details and experiences with such setups?
The advice is largely unchanged from public-IPv4-subnet-behind-Firewall setups that we've had in the .EDU space since the beginning of the commercial Internet. Since early .EDU subnet allocations were rather generous (my old work has an IPv4 /16 allocation, and I know of another institution our size that has a /16 and another /18 for good measure) these institutions have deep experience protecting publicly routeable IP addresses behind firewalls. Heck, that setup was what the original IP creators had in mind.
The principles (from memory):
A short list, I know. But the basic firewall principle going back 20 years is the same: allow access only to those IP:port combinations you want to permit, deny everything else.
If your rules hitherto consisted of "only traffic initiated internally" (NAT) with some exceptions for published services (port forwarding), you can stick to that and simply transfer it to IPv6.
You will have additional implications with the tunneling and encryption capabilities that come with v6 which you will want to address, but in general, everything that applied to v4 does still apply to v6. Recommended reading: Building Internet Firewalls (Zwicky, Cooper, Chapman).
In addition to the answers here, you should check out RFC 4890 which outlines a lot of the information you need to understand about ICMP6 through firewalls. Also see Google's IPv6 Info Center