There's a short list at https://en.wikipedia.org/wiki/Martian_packet#IPv6. And ULA is fc00::/7. I use
ipv6-network-group martians-ipv6 {
description "IPv6 martians"
ipv6-network ::/96
ipv6-network ::ffff:0:0/96
ipv6-network 100::/64
ipv6-network 2001::/32
ipv6-network 2001:2::/48
ipv6-network 2001:10::/28
ipv6-network 2001:db8::/32
ipv6-network fc00::/7
ipv6-network fe80::/10
ipv6-network fec0::/10
ipv6-network ff00::/8Any IPv6 firewall rule sets would be applied to the tun interface (not the underlying eth interface).
It's also reasonable to block Teredo outbound (IPv4 UDP destination port 3544) since any IPv6 in such will not be subject to any IPv6 rule sets.