On Fri, Apr 21, 2023 at 12:40 PM Carlos E. R. <robin.listas@telefonica.net> wrote: ...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
...
Still, I don't know how to do that in SuSEfirewall2 or firewalld.
firewalld by default blocks all incoming traffic unless you set zone target (policy) to ACCEPT. Which in zone definitions that come with firewalld is only set for the zone "trusted".
And that would only be temporary, there are machines in the intranet which I don't control, like the printer, the google chromecast...
As usual, you are shifting goalposts. You started with "I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld". If you now talk about other devices, then either read the documentation for these other devices or ask on support channels for these other devices or install a box between your router and your LAN and configure a firewall on this box. Which will automatically solve the problem of changing prefixes as this box will have a fixed internal interface and a fixed external interface so it will make unambiguous what traffic comes from outside.