Versions Compared

Old Version 28

changes.mady.by.user Artūrs C.

Saved on

compared with

New Version 29

changes.mady.by.user Artūrs C.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add "log" parameter

...

PropertyDescription
action (action name; Default: accept)Action to take if a packet is matched by the rule:
  • accept - accept the packet. A packet is not passed to the next NAT rule.
  • add-dst-to-address-list - add destination address to address list specified by address-list parameter
  • add-src-to-address-list - add source address to address list specified by address-list parameter
  • dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
  • jump - jump to the user-defined chain specified by the value of jump-target parameter
  • log - add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After a packet is matched it is passed to the next rule in the list, similar as passthrough
  • masquerade - replaces source port of an IP packet to one specified by to-ports parameter and replace the source address of an IP packet to IP determined by routing facility. 
  • netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
  • passthrough - if a packet is matched by the rule, increase counter and go to next rule (useful for statistics).
  • redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
  • return - passes control back to the chain from where the jump took place
  • same - gives a particular client the same source/destination IP address from a supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
  • src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
address-list (string; Default: )Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic)Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
  • Value of none-dynamic (00:00:00) will leave the address in the address list till reboot
  • Value of none-static will leave the address in the address list forever and will be included in configuration export/backup
chain (name; Default: )Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created
comment (string; Default: )Descriptive comment for the rule
connection-bytes (integer-integer; Default: )Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection
connection-limit (integer,netmask; Default: )Matches connections per address or address block after a given value is reached
connection-mark (no-mark | string; Default: )Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection
connection-rate (Integer 0..4294967295; Default: )Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: )Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
content (string; Default: )Match packets that contain specified text
dscp (integer: 0..63; Default: )Matches DSCP IP header field.
dst-address (IP/netmask | IP range; Default: )Matches packets which destination is equal to specified IP or falls into specified IP range.
dst-address-list (name; Default: )Matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast; Default: )Matches destination address type:
  • unicast - IP address used for point to point transmission
  • local - if dst-address is assigned to one of the router's interfaces
  • broadcast - packet is sent to all devices in a subnet
  • multicast - packet is forwarded to a defined group of devices
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire].
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional)
  • burst - number of packets that are not counted by packet rate
  • mode - the classifier for packet rate limiting
  • expire - specifies interval after which recored ip address /port will be deleted (optional)
dst-port (integer[-integer]: 0..65535; Default: )List of destination port numbers or port number ranges in format Range[,Port], for example, dst-port=123-345,456-678
fragment (yes|no; Default: )Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet
hotspot (auth | from-client | http | local-dst | to-client; Default: )Matches packets received from HotSpot clients against various HotSpot matchers.
  • auth - matches authenticated HotSpot client packets
  • from-client - matches packets that are coming from the HotSpot client
  • http - matches HTTP requests sent to the HotSpot server
  • local-dst - matches packets that are destined to the HotSpot server
  • to-client - matches packets that are sent to the HotSpot client
icmp-options (integer:integer; Default: )Matches ICMP type: code fields
in-bridge-port (name; Default: )Actual interface the packet has entered the router if the incoming interface is a bridge
in-interface (name; Default: )Interface the packet has entered the router
ingress-priority (integer: 0..63; Default: )Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. 
ipsec-policy (in | out, ipsec | none; Default: )Matches the policy used by IpSec. Value is written in the following format: direction, policy. The direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
  • in - valid in the PREROUTING, INPUT, and FORWARD chains
  • out - valid in the POSTROUTING, OUTPUT, and FORWARD chains
  • ipsec - matches if the packet is subject to IpSec processing;
  • none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).

For example, if a router receives an IPsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but the rule ipsec-policy=in,none will match the ESP packet.

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: )Matches IPv4 header options.
  • any - match packet with at least one of the ipv4 options
  • loose-source-routing - match packets with a loose source routing option. This option is used to route the internet datagram based on information supplied by the source
  • no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
  • no-router-alert - match packets with no router alter option
  • no-source-routing - match packets with no source routing option
  • no-timestamp - match packets with no timestamp option
  • record-route - match packets with record route option
  • router-alert - match packets with router alter option
  • strict-source-routing - match packets with strict source routing option
  • timestamp - match packets with a timestamp
jump-target (name; Default: )Name of the target chain to jump to. Applicable only if action=jump
layer7-protocol (name; Default: )Layer7 filter name defined in layer7 protocol menu.
limit (integer,time,integer; Default: )Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst.
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
  • burst - number of packets that are not counted by packet rate
log (yes | no; Default: no)Add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port, and length of the packet.
log-prefix (string; Default: )Adds specified text at the beginning of every log message. Applicable if action=lognth (integer,integer; Default: )Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule or log=yes configured.
out-bridge-port (name; Default: )Actual interface the packet is leaving the router if the outgoing interface is a bridge
out-interface (; Default: )Interface the packet is leaving the router
packet-mark (no-mark | string; Default: )Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet
packet-size (integer[-integer]:0..65535; Default: )Matches packets of specified size or size range in bytes
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: )PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream
port (integer[-integer]: 0..65535; Default: )Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP
protocol (name or protocol ID; Default: tcp)Matches particular IP protocol specified by protocol name or number
psd (integer,time,integer,integer; Default: )Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
  • WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
  • DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
  • LowPortWeight - the weight of the packets with privileged (<1024) destination port
  • HighPortWeight - the weight of the packet with non-privileged destination port
random (integer: 1..99; Default: )Matches packets randomly with a given probability
routing-mark (string; Default: )Matches packets marked by mangle facility with particular routing mark
same-not-by-dst (yes | no; Default: )Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same
src-address (Ip/Netmaks, Ip range; Default: )Matches packets which source is equal to specified IP or falls into specified IP range.
src-address-list (name; Default: )Matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address type:

  • unicast - IP address used for point to point transmission
  • local - if an address is assigned to one of the router's interfaces
  • broadcast - packet is sent to all devices in a subnet
  • multicast - packet is forwarded to a defined group of devices
src-port (integer[-integer]: 0..65535; Default: )List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP.
src-mac-address (MAC address; Default: )Matches source MAC address of the packet
tcp-mss (integer[-integer]: 0..65535; Default: )Matches TCP MSS value of an IP packet
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: )Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date
to-addresses (IP address[-IP address]; Default: 0.0.0.0)Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat
to-ports (integer[-integer]: 0..65535; Default: )Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat
ttl (integer: 0..255; Default: )Matches packets TTL value

...