I am using IPv4 currently where only my server is exposed to the outside world. All other devices are hidden behind a second FW and can't be reached from the outside world.
I also have a static IPv6 address but does not use it yet. Now, I am looking to start using the dual-stack option, but I am afraid that my local systems are being reachable from the outside world.

There is much data about IPv6 on the Internet, but I have not found (yet) info on how to shield your local systems as good as on a IPv4 network.

Hope someone can point me in the right direction or has ready answers

Regards, Frans.

NAT gave IPv4 some immunity by accident since you can't receive unsolicited traffic from the internet. For IPv6 you should block all traffic at the firewall using ip6tables and only open the ports where you need to receive traffic. If your box does not need to receive unsolicited traffic, then you should only route established tcp sessions to it using connection tracking. This means you forward "NEW" packets from inside to outside and "ESTABLISHED,RELATED" from outside to inside. This creates some issues with services that open a secondary port, but they are the same issues as IPv4/NAT.

https://www.sixxs.net/wiki/IPv6_Firewalling

Thanks for the pointers. The thing is that I just don't want the outside world to knock on my local systems. They can knock on my inner FW, but no further. It is not that I have a need to really obscure my IPv6 addresses, just don't want the outside world in without reason.

Come to think of, my inner FW just blocks every incoming request too. I only needed to use NAT on the outside FW. Using dual-stack I still need this for IPv4 protocols, but there is no need for it when using IPv6. As long as my local systems are not directly reachable for the outside using a FW.

Ok, I think I understand it a little better and will take the next step into the experiment.

--, Frans.