I just use ip6tables on my Ubuntu server router It works great for what I'm using it for (a home network and testing server)

I think, the most simple way will be using operating system capabilities. Why don't use built-in packet filter? During firewall policy construction pay attention to icmp6. Don't block that if you really don't know what are you doing. IPv6 transfers a lot of informations using that. And sixxs PoPs use that for tunnel life monitoring also.

In IPv6 the expectancy is to let the end-hosts do the firewalling. The largest reason for this being the fact that a host in the middle doesn't know anything about the state of the end-host. If you are going to do 'guesses' on the middle host (the 'firewall' in the traditional sense), those guesses might be wrong, especially when one has protocols which pass ip/port information inside the protocol, eg FTP is the classical example. As such, you will still need to do all the NAT-alike work in that firewall to inspect the data completely and most likely you do not know that cool new application that is being used. Do also remember that if you open port 80 (HTTP), applications will just tunnel over port 80. If you have port 443 (HTTP over SSL) open, apps will just nicely make their protocol look like that (which is easy, just stunnel it). As such per-port filtering is not helping you in anyway. Incoming connections of course can be blocked a bit, but that might break for instance FTP or other protocols as mentioned above. The problem thus becomes, even though one is giving every host a nice public IP address and is making them globally reachable, that one still can't properly use the whole end-to-end idea as the firewall in the middle is making broken assumptions/guesses and is thus breaking end-to-end. Letting the end-host do the firewalling allows the user or a tool using that end-host to say 'yes that application is allowed to make that connection / listen on that port for incoming connections. That is much more powerful than you can ever have on your central (distributed) firewall, it also allows you to do actual firewalling upto high speeds. Remember that IPv6 was designed for simple forwarding in routers, allowing them to become much faster as they don't have to process that much anymore (which is a bit of a false story actually :) In a corporate environment one will of course not like that as one doesn't have full control over the firewall in the end-host in many cases. But in the case of a Microsoft based network, with Active Directory in place, one can already do most of this today. Microsoft is also pushing for this model. On other platforms though, you are mostly out of luck, as anybody can root them easily and thus circumvent most of the measures you install, that is, if those measures are available at all in the first place.