Firewalld rules to secure IPv6 network services

FIREWALLD RICH RULES:

(Replace 1234 with your desired port)

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="::1" accept'

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="fe80::/10" accept'

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="2000::/3" port port="1234" protocol="tcp" drop'

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="2000::/3" port port="1234" protocol="udp" drop'

sudo firewall-cmd --reload

FIREWALL DIRECT RULES FOR DOCKER:
In case of docker containers apply direct rules, drop connection for the whole IPv6 GUA prefix in a specific docker container port.

First add the DOCKER-USER chain for firewalld:
sudo firewall-cmd --permanent --direct --add-chain ipv6 filter DOCKER-USER

Set the highest priority of the DOCKER-USER chain for FORWARD
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j DOCKER-USER

Drop traffic for TCP internal ports:
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter DOCKER-USER 1 -p tcp -s 2000::/3 --dport [docker container internal port] -j DROP

Drop traffic for UDP internal ports
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter DOCKER-USER 1 -p udp -s 2000::/3 --dport [docker container internal port] -j DROP

sudo firewall-cmd --reload

Repeat these rules for every port you want to secure.

For docker containers in network mode host just do the same with rich firewalld rules and the host ports.

Your services can be reached in your local network with your hostname using both ipv4 intranet and ipv6 link-local address or via proxy + web domain with ssl, no one will access your services typing your GUA IP + service port