On nodes facing peers, you will want to firewall, so that only packets from and to fd00::/8 will be routed, with possibly some of the multicast ff00::/8 range as needed.
This should prevent your node being used as an exit node by surprise.
I also included a rule to require that VPN packets that traverse the node are protected by transport IPsec. This encourages the end nodes to use IPsec to communicate and thus lessens the possibilty of trouble for them if I have to intercept the data they transit.
LL=$'fe80::/64'
MC=$'ff00::/8'
FC=$'fd00::/8'
for N in free0 free1 free2
do
ip6tables -A INPUT -i $N -s ${FC} -d ${FC} -j ACCEPT
ip6tables -A OUTPUT -o $N -s ${FC} -d ${FC} -j ACCEPT
ip6tables -A INPUT -i $N -s ${LL} -d ${MC} -j ACCEPT
ip6tables -A OUTPUT -o $N -s ${LL} -d ${MC} -j ACCEPT
ip6tables -A INPUT -i $N -s ${LL} -d ${LL} -j ACCEPT
ip6tables -A OUTPUT -o $N -s ${LL} -d ${LL} -j ACCEPT
ip6tables -A INPUT -i $N -s ${FC} -d ff02::fb -j ACCEPT
ip6tables -A OUTPUT -o $N -s ${FC} -d ff02::fb -j ACCEPT
for J in free0 free1 free2
do
if test $N != $J
then
# let through IPSec
ip6tables -A FORWARD -i $N -o $J -s ${FC} -d ${FC} --protocol esp -m ipv6header --header ah,esp -j ACCEPT
# let through ISAKMP
ip6tables -A FORWARD -i $N -o $J -s ${FC} -d ${FC} --protocol udp --sport 500 --dport 500 -j ACCEPT
fi
done
done