...
Property | Description | ||
---|---|---|---|
action (action name; Default: accept) | Action to take if a packet is matched by the rule:
| ||
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list | ||
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
| ||
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created | ||
comment (string; Default: ) | Descriptive comment for the rule | ||
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection | ||
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after a given value is reached | ||
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection | ||
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection | ||
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port | ||
content (string; Default: ) | Match packets that contain specified text | ||
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. | ||
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. | ||
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list | ||
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
| ||
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire] .
| ||
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges in format Range[,Port], for example, dst-port=123-345,456-678 | ||
fragment (yes|no; Default: ) | Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet | ||
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
| ||
icmp-options (integer:integer; Default: ) | Matches ICMP type: code fields | ||
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router if the incoming interface is a bridge | ||
in-interface (name; Default: ) | Interface the packet has entered the router | ||
ingress-priority (integer: 0..63; Default: ) | Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. | ||
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in the following format: direction, policy . The direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives an IPsec encapsulated Gre packet, then rule | ||
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
| ||
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump | ||
layer7-protocol (name; Default: ) | Layer7 filter name defined in layer7 protocol menu. | ||
limit (integer,time,integer; Default: ) | Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst .
| ||
log (yes | no; Default: no) | Add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port, and length of the packet. | ||
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log | nth (integer,integer; Default: ) | Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule or log=yes configured. |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is a bridge | ||
out-interface (; Default: ) | Interface the packet is leaving the router | ||
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet | ||
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes | ||
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream | ||
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP | ||
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number | ||
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
| ||
random (integer: 1..99; Default: ) | Matches packets randomly with a given probability | ||
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark | ||
same-not-by-dst (yes | no; Default: ) | Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same | ||
src-address (Ip/Netmaks, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. | ||
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list | ||
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
| ||
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP. | ||
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet | ||
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet | ||
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date | ||
to-addresses (IP address[-IP address]; Default: 0.0.0.0) | Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat | ||
to-ports (integer[-integer]: 0..65535; Default: ) | Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat | ||
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
...