Overview
/ip firewall
The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation, it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic. Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastructure deployment.
Firewall filter
Chains
The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.
There are three predefined chains, which cannot be deleted:
- input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
- forward - used to process packets passing through the router
- output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
Custom chain
A packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successful match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (time; Default: 00:00:00) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actionsValue of 00:00:00 will leave the address in the address list forever |
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection |
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after a given value is reached. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive. |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with a particular connection mark. If no-mark is set, the rule will match any unmarked connection. |
connection-nat-state (srcnat | dstnat; Default: ) | Can match connections that are src-nat`ted, dst-nat`ted or both. Note that connection-state=related connections connection-nat-state is determined by the direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to the same hosts as the main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all. |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection. |
connection-state (established | invalid | new | related | untracked; Default: ) | Interprets the connection tracking analytics data for a particular packet:
|
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has its own limit. Flow is defined by a mode parameter. Parameters are written in the following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP type:code fields |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router if the incoming interface is bridge. Works only if use-ip-firewall is enabled in bridge settings. |
in-bridge-port-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as in-bridge-port |
in-interface (name; Default: ) | Interface the packet has entered the router |
in-interface-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as in-interface |
ingress-priority (integer: 0..63; Default: ) | Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in the following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives an IPsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
layer7-protocol (name; Default: ) | Layer7 filter name defined in the layer7 protocol menu. |
limit (integer,time,integer; Default: ) | Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in the following format: count[/time],burst:mode .
|
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
nth (integer,integer; Default: ) | Matches every nth packet. |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is bridge. Works only if use-ip-firewall is enabled in bridge settings. |
out-bridge-port-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as out-bridge-port |
out-interface (; Default: ) | Interface the packet is leaving the router |
out-interface-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as out-interface |
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet. |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes. |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream. |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
priority (integer: 0..63; Default:) | Matches the packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit or from the priority that has been set using the set-priority action. |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with given probability. |
reject-with (icmp-admin-prohibited | icmp-net-prohibited | icmp-protocol-unreachable | icmp-host-prohibited | icmp-network-unreachable | tcp-reset | icmp-host-unreachable | icmp-port-unreachable; Default: icmp-network-unreachable) | Specifies the ICMP error to be sent back if a packet is rejected. Applicable if action=reject |
routing-table (string; Default: ) | Matches packets which destination address is resolved in specific a routing table. More details can be found in the Routing Table Matcher page |
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark |
src-address (Ip/Netmask, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) | Matches specified TCP flags
|
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
tls-host (string; Default: ) | Allows matching https traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that the matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets). |
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
Filter stats
/ip firewall filter print stats
Will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
By default, print is equivalent to print static and shows only static rules.
[admin@mikrotik] /ip firewall mangle> print stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506
To print also dynamic rules use print all.
[admin@mikrotik] /ip firewall mangle> print all stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506 2 D forward change-mss 0 0 3 D forward change-mss 0 0 4 D forward change-mss 0 0 5 D forward change-mss 129372 2031
Or to print only dynamic rules use print dynamic
[admin@mikrotik] /ip firewall mangle> print stats dynamic Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 D forward change-mss 0 0 1 D forward change-mss 0 0 2 D forward change-mss 0 0 3 D forward change-mss 132444 2079
Firewall NAT
/ip firewall nat
Network Address Translation (NAT) is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
- source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
- destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travels through the router towards a private network.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.
Masquerade
Firewall NAT action=masquarade is a unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example, DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.
Every time interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries that send a packet out that interface, this way improving system recovery time after public IP address change.
Unfortunately, this can lead to some issues when action=masquerade
is used in setups with unstable connections/links that get routed over different links when the primary is down. In such scenario following things can happen:
- on disconnect, all related connection tracking entries are purged;
- next packet from every purged (previously masqueraded) connection will come into firewall as
connection-state=new
, and, if a primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection; - primary link comes back, routing is restored over the primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.
You can work around this by creating a blackhole route as an alternative to route that might disappear on disconnect).
When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection |
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after a given value is reached. |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with a particular connection mark. If no-mark is set, the rule will match any unmarked connection. |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection. |
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given PPS limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP type:code fileds |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router if the incoming interface is a bridge |
in-interface (name; Default: ) | Interface the packet has entered the router |
ingress-priority (integer: 0..63; Default: ) | Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in the following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives an IPsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
layer7-protocol (name; Default: ) | Layer7 filter name defined in the layer7 protocol menu. |
limit (integer,time,integer; Default: ) | Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst .
|
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
nth (integer,integer; Default: ) | Matches every nth packet. |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is a bridge |
out-interface (; Default: ) | Interface the packet is leaving the router |
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet. |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes. |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream. |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with given probability. |
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark |
same-not-by-dst (yes | no; Default: ) | Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same |
src-address (Ip/Netmask, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
to-addresses (IP address[-IP address]; Default: 0.0.0.0) | Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat |
to-ports (integer[-integer]: 0..65535; Default: ) | Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat |
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
NAT stats
/ip firewall nat print stats
Will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
Firewall Mangle
Firewall Mangle marks packets for future processing in the device with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain the rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB (upload and download) has been transferred through the relevant connection |
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after a given value is reached. |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with a particular connection mark. If no-mark is set, the rule will match any unmarked connection. |
connection-nat-state (srcnat | dstnat; Default: ) | Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by the direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to the same hosts as the main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all. |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allows the capture of traffic based on the present speed of the connection. |
connection-state (established | invalid | new | related; Default: ) | Interprets the connection tracking analytics data for a particular packet:
|
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets where the destination is equal to specified IP or falls into a specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP "type:code" fields |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router if the incoming interface is a bridge |
in-interface (name; Default: ) | Interface the packet has entered the router |
ingress-priority (integer: 0..63; Default: ) | Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in the following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives an IPsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
layer7-protocol (name; Default: ) | Layer7 filter name defined in layer7 protocol menu. |
limit (integer,time,integer; Default: ) | Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst .
|
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
new-connection-mark (string; Default: ) | |
new-dscp (integer: 0..63; Default: ) | Sets a new DSCP value for a packet. |
new-mss (integer; Default: ) | Sets a new MSS for a packet. clamp-to-pmtu option dynamically sets the MSS size accordingly to the Path MTU. |
new-packet-mark (string; Default: ) | |
new-priority (integer | from-dscp | from-dscp-high-3-bits | from-ingress; Default: ) | Sets a new priority for a packet. This can be the VLAN, WMM, DSCP or MPLS EXP priority. This property can also be used to set an internal priority. |
new-routing-mark (string; Default: ) | |
new-ttl (decrement | increment | set:integer; Default: ) | |
nth (integer,integer; Default: ) | Matches every nth packet. |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is a bridge |
out-interface (; Default: ) | Interface the packet is leaving the router |
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet. |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes. |
passthrough (yes|no; Default: yes) | whether to let the packet pass further (like action passthrough) into firewall or not (property only valid some actions). |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows division of traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream. |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with given probability. |
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark |
priority (integer: 0..63; Default: ) | Matches the packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit or from internal priority that has been set using the set-priority action. |
src-address (IP/Netmask, IP range; Default: ) | Matches packets where the source is equal to specified IP or falls into a specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) | Matches specified TCP flags
|
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows creation of a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
tls-host (string; Default: ) | Allows to match traffic based on TLS hostname. Accepts GLOB syntax for wildcard matching. Note that the matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets). |
ttl (equal | greater-than | less-than | not-equal : integer(0..255); Default: ) | Matches packets TTL value. |
Stats
/ip firewall filter print stats
Will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
By default, print is equivalent to print static and shows only static rules.
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506
To print also dynamic rules use print all.
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506 2 D forward change-mss 0 0 3 D forward change-mss 0 0 4 D forward change-mss 0 0 5 D forward change-mss 129372 2031
Or to print only dynamic rules use print dynamic
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 D forward change-mss 0 0 1 D forward change-mss 0 0 2 D forward change-mss 0 0 3 D forward change-mss 132444 2079
Menu specific commands
Property | Description |
---|---|
reset-counters (id) | Reset statistics counters for specified firewall rules. |
reset-counters-all () | Reset statistics counters for all firewall rules. |
Firewall RAW
/ip firewall raw
Firewall RAW table allows us to selectively bypass or drop packets before connection tracking that way significantly reducing load on CPU. The tool is very useful for DOS/DDOS attack mitigation.
The RAW table does not have matchers that depend on connection tracking ( like connection-state, layer7, etc.).
If a packet is marked to bypass connection tracking packet de-fragmentation will not occur.
Chains
There are two predefined chains in RAW tables:
- prerouting - used to process any packet entering the router
- output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it's own limit. Flow is defined by a mode parameter. Parameters are written in the following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | |
icmp-options (integer:integer; Default: ) | Matches ICMP type:code fields |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router, if incoming interface is bridge. Works only if use-ip-firewall is enabled in bridge settings. |
in-interface (name; Default: ) | Interface the packet has entered the router |
in-interface-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as in-interface |
ingress-priority (integer: 0..63; Default: ) | Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IPsec. Value is written in the following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives IPsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
limit (integer,time,integer; Default: ) | Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode .
|
log (yes | no; Default: ) | Preferred method of logging instead of action=log |
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
nth (integer,integer; Default: ) | Matches every nth packet. |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings. |
out-interface (; Default: ) | Interface the packet is leaving the router |
out-interface-list (name; Default: ) | Set of interfaces defined in the interface list. Works the same as out-interface |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes. |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows dividing traffic into equal streams with the ability to keep packets with specific set of options in one particular stream. |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
priority (integer: 0..63; Default:) | |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with given probability. |
src-address (Ip/Netmask, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) | Matches specified TCP flags
|
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
tls-host (string; Default: ) | Allows to match traffic based on TLS hostname. Accepts GLOB syntax for wildcard matching. Note that the matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets). |
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
Service Ports
/ip firewall service-port
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.
To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.
Properties
Note that it is not possible to add new services, only existing service modifications are allowed.
Property | Description |
---|---|
address (IP address/netmask | IPv6/0..128; Default: ) | List of IP/IPv6 prefixes from which the service is accessible. |
certificate (name; default: none) | The name of the certificate used by a particular service. Applicable only for services that depend on certificates (www-ssl, api-ssl) |
name (name; default: none) | Service name |
port (integer: 1..65535; Default: ) | The port particular service listens on |
Connections
/ip firewall connection tracking
There are several ways to see what connections are making their way through the router.
Properties
All properties in connection list are read-only
Property | Description |
---|---|
assured (yes | no) | It indicates that this connection is assured and that it will not be erased if the maximum possible tracked connection count is reached. |
confirmed (yes | no) | Connection is confirmed and a packet is sent out from the device. |
connection-mark (string) | Connection mark that was set by mangle rule. |
connection-type (pptp | ftp) | Type of connection, property is empty if connection tracking is unable to determine predefined connection type. |
dst-address (ip[:port]) | Destination address and port (if protocol is port-based). |
dstnat (yes | no) | Connection has gone through DST-NAT (for example, port forwarding). |
dying (yes | no) | Connection is dying due to connection timeout. |
expected (yes | no) | Connection is setup using connection helpers (pre-defined service rules). |
fasttrack (yes | no) | Whether the connection is FastTrack`ed. |
gre-key (integer) | Contents of the GRE Key field. |
gre-protocol (string) | Protocol of the encapsulated payload. |
gre-version (string) | Version of GRE protocol used in the connection. |
icmp-code (string) | ICMP Code Field |
icmp-id (integer) | Contains the ICMP ID |
icmp-type (integer) | ICMP Type Number |
orig-bytes (integer) | Amount of bytes sent out from the source address using the specific connection. |
orig-fasttrack-bytes (integer) | Amount of FastTracked bytes sent out from the source address using the specific connection. |
orig-fasttrack-packets (integer) | Amount of FastTracked packets sent out from the source address using the specific connection. |
orig-packets (integer) | Amount of packets sent out from the source address using the specific connection. |
orig-rate (integer) | Data rate at which packets are sent out from the source address using the specific connection. |
protocol (string) | IP protocol type |
repl-bytes (integer) | Amount of bytes received from the destination address using the specific connection. |
repl-fasttrack-bytes (string) | Amount of FastTracked bytes received from the destination address using the specific connection. |
repl-fasttrack-packets (integer) | Amount of FastTracked packets received from the destination address using the specific connection. |
repl-packets (integer) | Amount of packets received from the destination address using the specific connection. |
repl-rate (string) | Data rate at which packets are received from the destination address using the specific connection. |
reply-dst-address (ip[:port]) | Destination address (and port) expected of return packets. Usually the same as "src-address:port" |
reply-src-address (ip[:port]) | Source address (and port) expected of return packets. Usually the same as "dst-address:port" |
seen-reply (yes | no) | The destination address has replied to the source address. |
src-address (ip[:port]) | Source address and port (if protocol is port-based). |
srcnat (yes | no) | Connection is going through SRC-NAT, including packets that were masqueraded through NAT. |
tcp-state (string) | Current state of TCP connection :
|
timeout (time) | Time after connection will be removed from the connection list. |
Connection tracking settings
/ip firewall connection tracking
Properties
Property | Description |
---|---|
enabled (yes | no | auto; Default: auto) | Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features. Starting from v6.0rc2 default value is auto. This means that connection tracing is disabled until at least one firewall rule is added. |
loose-tcp-tracking (yes; Default: yes) | Disable picking up already established connections |
tcp-syn-sent-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-syn-received-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-established-timeout (time; Default: 1d) | Time when established TCP connection times out. |
tcp-fin-wait-timeout (time; Default: 10s) | |
tcp-close-wait-timeout (time; Default: 10s) | |
tcp-last-ack-timeout (time; Default: 10s) | |
tcp-time-wait-timeout (time; Default: 10s) | |
tcp-close-timeout (time; Default: 10s) | |
udp-timeout (time; Default: 10s) | Specifies the timeout for UDP connections that has seen packets in one direction |
udp-stream-timeout (time; Default: 3m) | Specifies the timeout of UDP connections that has seen packets in both directions |
icmp-timeout (time; Default: 10s) | ICMP connection timeout |
generic-timeout (time; Default: 10m) | Timeout for all other connection entries |
Read-only properties
Property | Description |
---|---|
max-entries (integer) | Max amount of entries that connection tracking table can hold. This value depends on the installed amount of RAM. Note that the system does not create a maximum size connection tracking table when it starts, the maximum entry amount can increase if the situation demands it and the router still has free ram left. |
total-entries (integer) |
Features affected by connection tracking
- Firewall NAT
- Firewall:
- connection-bytes
- connection-mark
- connection-type
- connection-state
- connection-limit
- connection-rate
- layer7-protocol
- new-connection-mark
- tarpit
Address List
/ip firewall address-list
Firewall address lists allow a user to create lists of IP addresses grouped together under a common name. Firewall filter, Mangle and NAT facilities can then use those address lists to match packets against them.
The address list records can also be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT, Mangle, and Filter facilities.
Firewall rules with action add-src-to-address-list or add-dst-to-address-list works in passthrough mode, which means that the matched packets will be passed to the next firewall rules.
Properties
Property | Description |
---|---|
address (DNS Name | IP address/netmask | IP-IP; Default: ) | A single IP address or range of IPs to add to the address list or DNS name. You can input for example, '192.168.0.0-192.168.1.255' and it will auto modify the typed entry to 192.168.0.0/23 on saving. |
list (string; Default: ) | Name for the address list of the added IP address |
timeout (time; Default: ) | Time after address will be removed from the address list. If the timeout is not specified, the address will be stored in the address list permanently. |
If the timeout parameter is not specified, then the address will be saved to the list permanently to the disk. If a timeout is specified, the address will be stored on the RAM and will be removed after a system's reboot.
Layer7-protocol
/ip firewall layer7-protocol
Layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams. An additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in the forward chain. If rule is set in input/prerouting chain then the same rule must be also set in output/postrouting chain, otherwise, the collected data may not be complete resulting in an incorrectly matched pattern. Layer 7 matcher is case insensitive
In some cases when layer 7 regular expression cannot be performed, RouterOS will log topic=firewall, warning with an error message stating the problem in the message
The L7 matcher is very resource intensive. Use this feature only for very specific traffic. It is not recommended to use a Layer7 matcher for generic traffic, such as for blocking webpages. This will almost never work correctly and your device will exhaust it's resources, trying to catch all the traffic. Use other features to block webpages by URL
Properties
Property | Description |
---|---|
name (string; Default: ) | Descriptive name of l7 pattern used by configuration in firewall rules. See example >>. |
regexp (string; Default: ) | POSIX compliant regular expression used to match pattern. |