There have been a number of building of access list to protect the network like Anti-Spoofing, block well-know ICMP exploits, block well-know DDOS port and so on.
We do not have to wary about it too much as the nature of the ACL is implicit deny all. What we need to do is to build an ACL to permit the preferred traffic and port (like permit www) and let the implicit deny all to do the rest of the job. The security part of it should be well taken care off.
The answer to your question is yes and no. You will more than likely allow any into your web server. I would still put a deny above the permit, denying all inside address ranges, in the outside interface for any destination. This will help prevent spoofing.
Of course, ACL itself is not a complete solution for security and it never is a good firewall. I will take it as front line defense against non preferred traffic. With the ACL configure to allow only http traffic it should be well deny the rest of the non permit traffic whether is telnet, icmp traffic, ftp and etc. In short the implicit deny block all other port number except port 80. Of course if attacker using port 80 vulnerability then that is beyond the scope of this topic.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...