tag 701200 security This is not just a bug, this is a gaping security hole. The default configuration is wide open on ipv6.
Please add, at a minimum, the following default rules for ipv6:
domain ip6 {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
proto icmp ACCEPT;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy DROP;
}
}
}
