My U-Verse modem has something called "Reflexive ACL" described as

Reflexive ACL: When IPv6 is enabled, you can enable Reflexive Access Control Lists to deny inbound IPv6 traffic unless this traffic results from returning outgoing packets (except as configured through firewall rules).

This seems like a pretty good way to keep from having to maintain a firewall on each computer behind my router that gets handed an IPv6 address. It sounds about like a NAT, which for my small home network is all I want right now.

Now my modem sucks as a router though, so I'm in the process of configuring an OpenBSD router to do that. I've got IPv6 supported and all that and my OpenBSD router will hand out IPv6 addresses by rtadvd. Now I want to keep people from having instant access to my local network through IPv6.

How would I best do something like Reflexive ACL with pf in OpenBSD 5.0?