I maintain several networks of 5-20 computers, which sit behind a traditional IPv4 router / firewall setup. Outbound connections are NATted, and clients outside the router access individual services via port forwarding through the router.
I'm interested in starting to use IPv6 for (some of) these machines, but I don't want to unknowingly open them up to arbitrary access from the Big Bad Internet. I do want to allow certain protocols through as directly as possible. For example, I'd like to allow direct SSH access to one of the machines.
Is there a good way to do this, without also requiring a full firewall setup on each individual machine? Should I just think of my router's public-facing IPv6 address as the entry address to an n-bit subnet where all my intranet machines live, and handle firewalling by dropping SYN packets to ports and machines that I don't want to allow access to?