The following references describe the basic steps involved in enabling Internet Protocol version 6 (IPv6) firewalls on various Linux distributions. There are many distributions of Linux, and this article does not attempt to cover all of them.

Several distributions of Linux use netfilter/ip6tables to implement a Linux-based firewall. An understanding of iptables and how it configures the netfilter tables residing in the Linux kernel is a prerequsite for the use of ip6tables. The syntax of ip6tables is identical to iptables except that ip6tables supports the 128-bit addresses used by IPv6. Many references for iptables are available on netfilter.org. ip6tables is described in detail here. This article provides an overview and examples of ip6tables rules for IPv6.

Among the “user-friendly” frontends developed to make the use of iptables easier, only a few support ip6tables. UncomplicatedFirewall (UFW) and its graphical frontend GUFW do, as does Shorewall6.

The SixXS website (archived circa Sept 2013) describes the use of ip6tables on Debian/Ubuntu. It also describes the use of pf, ipfw, and ipf on FreeBSD, and the use of pf on OpenBSD. ipfw is described in more detail here. pf is described in more detail here.

The Utah Center for High Performance Computing website (archived circa Apr 2016) describes the use of ip6tables on Red Hat Enterprise Linux (RHEL) 5 and RHEL 6.

The nixCraft website gives examples of the use of ip6tables on several Linux distributions, including Debian, Ubuntu, Fedora, RedHat, and CentOS. It also describes the use of pf on FreeBSD, OpenBSD, and NetBSD.

This Configuring the SuSE Firewall article documents the use of the Yet another Setup Tool (YaST) command to configure the iptables firewall for IPv4 in the openSUSE and SUSE Linux Enterprise Server (SLES) kernels. This SuSEfirewall2 article further documents the use of YAST and documents IPv6-specific options and limitations of YAST and the ip6tables firewall in the openSUSE and SLES kernels.

The above are just a few of the available references describing the basic steps involved in enabling IPv6 on a Linux-based firewall. The organization that supports your Linux distribution is another resource. The man pages for iptables, ip6tables, pf, ipfw, and ipf on your Linux system are also resources.

Enabling IPv6

The Application Firewall in Apple macOS (all versions), OS X (all versions) and Mac OS X (versions 10.5 Leopard and later) is Internet Protocol (IP)-agnostic. It requires no configuration changes to support IP version 6 (IPv6), and filtering rules apply equally to IPv4 and IPv6. It is turned off by default. This Application Firewall is based on the TrustedBSD MAC Firewall in FreeBSD. This article describes how to turn it on and configure it. The port-oriented Application Firewall found in Mac OS X (versions 10.2 Jaguar through 10.4 Tiger) was also IP-agnostic and turned off by default. This article describes how to turn it on and configure it. The Application Firewall was originally called the Application Layer (or Level) Firewall, or ALF.

Although the Application Firewall user interface only supports filtering of incoming packets, the underlying packet filter can be configured to filter outgoing packets. It can also be configured to enable IP-specific filtering.

Historically, the ipfw packet filter (and its replacement ipfw2 introduced in OS X 10.4 Tiger and also called ipfw) had been part of OS X since before it was OS X. ipfw is the same packet filter used by many Linux distributions and had its origins in FreeBSD. ipfw was deprecated in OS X 10.7 Lion and removed in OS X 10.10 Yosemite.

Then, the pf packet filter was introduced in OS X 10.7 Lion, updated in OS X 10.8 Mountain Lion and remained part of OS X (versions 10.9 Maverick and later). pf is the same packet filter used by many Linux distributions and had its origins in OpenBSD. The use of pf is described in this article. The OpenBSD pf is documented in more detail here. pf is controlled by the pfctl command. The use of pf and pfctl are described in this article. The OpenBSD pfctl is documented in more detail here.

macOS (all versions) includes that same pf packet filter and pfctl command used by OS X (versions 10.9 Maverick and later). The use of pf and pfctl in macOS is described in this article. Filtering outgoing packets is described here. References for OpenBSD pf and pfctl documents in the previous paragraph apply.

[Note: Apple no longer maintains man pages for software in OS X or Mac OS X on their website.] The man pages on your local system are resources.

Disabling IPv6

Rather than disabling IPv6 in the pf firewall, it is a better practice to disable IPv6 at the system level. See the Disabling IPv6 in Apple macOS, OS X and Mac OS X article in the IP Transport section.

Enabling IPv6 in Microsoft Windows-based Firewalls

Most of the settings available in the basic Windows Firewall are IP-agnostic, so filtering rules apply equally to IPv4 and IPv6. This has been the case since the Windows Firewall became IPv6-aware in Windows XP Service Pack 2. Even in Windows Firewall with Advanced Security, most filtering rules are still either port-oriented (specified IP ports) or application-oriented (specified applications that use those ports).

The predefined Inbound and Outbound Rules are IP-agnostic by default. Only Scope Settings made when configuring custom Inbound or Outbound Rules will be IP-protocol specific (specified IPv4 or IPv6 addresses or address ranges in the Scope Settings tab). Making Scope Settings in different Microsoft Windows versions is done as follows:

XP is shown here,
XP SP2 and SP3 is shown here,
Vista is shown here,
Windows 7 is shown here,
Windows 8/8.1 is shown here,
and Windows 10/11 is shown here and here.

Documentation for Scope Settings in different Microsoft Windows versions is available as follows:

XP SP2 and SP3 is available here,
Vista, Server 2008, Windows 7, and Server 2008 R2 is available here,
Windows Server 2012 is available here, and
Windows Server 2016 (and later) and Windows 8 (and later) is available here.

Disabling IPv6 in Microsoft Windows-based Firewalls

Rather than disabling IPv6 in the firewall (for the few individual custom Inbound or Outbound Rules that may have been configured as IP-protocol specific), it is a better practice to selectively disable it in the operating system. See the “Disabling IPv6 in Microsoft Windows” article for the appropriate version of Windows in the IP Transport section.

TIC Initiative History

The Trusted Internet Connection (TIC) Initiative, was announced in 2007 by Office of Management and Budget (OMB) memorandum M-08-05 and updated in 2009 by OMB memorandum M-09-32. A TIC Reference Architecture Document, Version 2.2, was released in June 2017. This document is applicable to all United States (US) Federal government civilian agencies, but particularly to those acting as TIC Access Providers (TICAPs) -- agencies responsible for managing their TIC internet access point's physical location and corresponding security capabilities, and those which have been designated as Multi-Service TICAPs -- agencies providing services to other agencies through a shared services model. The process for an agency to be designated as a Multi-Service TICAP by completing a TIC Statement of Capability (SOC) Form is set forth in this attachment to OMB memorandum M-08-16. All network connections external to an agency are to be monitored by a Department of Homeland Security (DHS) National Cyber Protection System (NCPS) sensor, operationally known as an EINSTEIN Enclave.

In Sept 2019 OMB Memorandum M-19-26 announced an update to the TIC Initiative called “TIC 3.0”. In accordance with OMB memorandum M-17-26 Reducing Burden for Federal Agencies by Rescinding and Modifying OMB Memoranda, June 2017, earlier memoranda related to the TIC Initiative (M-08-05, M-08-16 and M-08-27, and M-09-32) were rescinded by the OMB. Also, a new home page was established for the TIC Initiative (authentication required).

Rather than requiring agencies to employ only physical TIC access points, they may now use alternative security controls identified by TIC Use Cases contained in Appendix A of M-19-26 and Hybrid Identity Solutions Guidance, Mar, 2024.

In 2024, the DHS Cybersecurity and Infrastructure Security Agency (CISA) released updated Guidance Documents for TIC 3.0. The core Guidance Documents are available here, and guidance for their use is available here. A TIC 3.0 Frequently Asked Questions is available here. In Jan 2022, the DHS CISA released an IPv6 Considerations for TIC 3.0 document. In Dec 2023, the DHS CISA Cybersecurity Division released a TIC 3.0 Cloud Use Case document.

The CISA also released a 2-volume NCPS Cloud Interface Reference Architecture (CIRA) describing requirements for data sharing at TIC access points in cloud computing environments. The CIRA is in 2 volumes: 

Volume 1 – General Guidance, May 2021, provides an overview of changes to enable NCPS to share data
    with TIC 3.0, and
Volume 2 – Reporting Pattern Catalog, June 2021 draft, provides details for vendor-specific changes to enable
    data sharing.

In Aug 2020, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-207 Zero Trust Architecture (ZTA) document. Section 6 of that document discusses other Federal policies and programs including the TIC 3.0 Initiative and the older DHS EINSTEIN Program, and how the NIST ZTA complements them.

Available Managed Trusted Internet Protocol Services Providers

The General Services Administration (GSA) authorized, or will authorize pending TIC Initiative certification, multiple Networx and Enterprise Infrastructure Solutions (EIS) vendors to be Managed Trusted Internet Protocol Services (MTIPS) providers. The alignment of MTIPS with the TIC Initiative is described by this GSA web page. The list of vendors authorized to be MTIPS providers that are accessible via Internet Protocol version 6 (IPv6) is available here. MTIPS are available as a separate managed security service, or as part of an agency’s specific statement of work directly with the vendor. GSA has also provided answers to Networx IPv6 Frequently Asked Questions.

(Note: The GSA is in the midst of an EIS acquisition. The Networx contract (and others) are transitioning to EIS. See this GSA web page describing the on-going multi-year transition.)

Additional United States Government Requirements for IPv6

US government organizations' requirements for IPv6 as part of the TIC Initiative are specified in:

1. Critical Capabilities line item TM.TC.03 of the TIC 3.0 Core Guidance Volume 2: Reference Architecture, 
2. paragraph C.2.3.1.2 Standards of an EIS Statement of Work (SOW) (see sample SOW here), and
3. paragraph C.2.4.1.5.1.2 Standards, item 29, of a Networx SOW (see sample SOW here).

The requirements of the Federal Acquisition Regulations as amended Dec, 2009 (described in the IPv6 Boiler Plate Acquisitions Language article in the Deployment section) apply. Verify that connectivity via IPv6 to the MTIPS provider’s locations is available from the geographic locations included in your IPv6 deployment effort.