My U-Verse modem has something called "Reflexive ACL" described as
Reflexive ACL: When IPv6 is enabled, you can enable Reflexive Access Control Lists to deny inbound IPv6 traffic unless this traffic results from returning outgoing packets (except as configured through firewall rules).
This seems like a pretty good way to keep from having to maintain a firewall on each computer behind my router that gets handed an IPv6 address. It sounds about like a NAT, which for my small home network is all I want right now.
Now my modem sucks as a router though, so I'm in the process of configuring an OpenBSD router to do that. I've got IPv6 supported and all that and my OpenBSD router will hand out IPv6 addresses by rtadvd. Now I want to keep people from having instant access to my local network through IPv6.
How would I best do something like Reflexive ACL with pf in OpenBSD 5.0?
This will do:
This will pass all traffic except on the external interface where it will drop all incoming packets. OpenBSD is stateful by default, so it will allow packets in if it matches an existing connection.
That sounds like stateful filtering to me.
The OpenBSD pf.conf man page says the following about keeping state:
pf will keep state by default.