In this section we'll look at IPv6 and firewalling, or in particular, packet filtering. Packet filtering, in general, is the process of examining packets as they enter and exit a network and making a decision about allowing them through or dropping them. Usually packet filters allow you to make decisions on factors such as:
Protocol (e.g., TCP, UDP, or ICMP)
Source and destination port number/ICMP type (e.g., 80 is HTTP; 25 is SMTP)
Source and destination IP address
Incoming and outgoing interface
TCP flags, sequence numbers and window values
IP fragmentation offset and size
The rules used to filter packets can either be statically configured or rules may be updated dynamically by the traffic itself. For example, TCP data traffic may only be passed if the normal 3-way handshake has been completed. These sorts of dynamic rules are referred to as stateful packet filtering.
Many existing packet filters offer additional features, such as packet normalization (where unusual looking IP streams are normalized before being allowed through the firewall), sequence number rewriting (where TCP initial sequence numbers are made more random), transparent proxying (where HTTP connections are redirected to a proxy server without the client's knowledge) or NAT (where several machines are made to appear as a single IP address).
Most of what is known about IPv4 packet filtering applies directly to the IPv6 situation, as layer 3 (TCP and UDP) and above are largely the same in both IPv4 and IPv6. ...