It is very common that the ISP-provided modem only allows you to block all incoming IPv6 connections entirely or let all incoming requests through.
To publish your service on the internet, the only option is to tell the ISP-provided modem to let all incoming requests go through. However, this poses a security risk, which may accidentally expose private service on the internet (e.g. SMB sharing or remote desktop).
To enhance the security on such a network, each device needs to configure its firewall properly. A device needs to either block all IPv6 incoming requests or only allow connections from hosts with the same IPv6 prefix. For the sake of convenience, we obviously want the latter. But things can be complicated when you have a dynamic IPv6 prefix from your ISP.
Generally speaking, you must run a script to update the firewall rules each time your prefix changes.
So the automated firewall rule modification can be breakdown into two parts:
- Setup firewall to allow dynamic update of rule set