On nodes facing peers, you will want to firewall, so that only packets from and to fd00::/8 will be routed, with possibly some of the multicast ff00::/8 range as needed.
This should prevent your node being used as an exit node by surprise.
I also included a rule to require that VPN packets that traverse the node are protected by transport IPsec. This encourages the end nodes to use IPsec to communicate and thus lessens the possibilty of trouble for them if I have to intercept the data they transit.
LL=$'fe80::/64' MC=$'ff00::/8' FC=$'fd00::/8' for N in free0 free1 free2 do ip6tables -A INPUT -i $N -s ${FC} -d ${FC} -j ACCEPT ip6tables -A OUTPUT -o $N -s ${FC} -d ${FC} -j ACCEPT ip6tables -A INPUT -i $N -s ${LL} -d ${MC} -j ACCEPT ip6tables -A OUTPUT -o $N -s ${LL} -d ${MC} -j ACCEPT ip6tables -A INPUT -i $N -s ${LL} -d ${LL} -j ACCEPT ip6tables -A OUTPUT -o $N -s ${LL} -d ${LL} -j ACCEPT ip6tables -A INPUT -i $N -s ${FC} -d ff02::fb -j ACCEPT ip6tables -A OUTPUT -o $N -s ${FC} -d ff02::fb -j ACCEPT for J in free0 free1 free2 do if test $N != $J then # let through IPSec ip6tables -A FORWARD -i $N -o $J -s ${FC} -d ${FC} --protocol esp -m ipv6header --header ah,esp -j ACCEPT # let through ISAKMP ip6tables -A FORWARD -i $N -o $J -s ${FC} -d ${FC} --protocol udp --sport 500 --dport 500 -j ACCEPT fi done done