add-dst-to-address-list or add-src-to-address-list actions
• 00:00:00 - leave the address in the address list forever
chain ( forward | input | output | postrouting | prerouting ) - specify the chain to put a particular rule
into. As the different traffic is passed through different chains, always be careful in choosing the
right chain for a new rule. If the input does not match the name of an already defined chain, a new
chain will be created
comment ( text ) - free form textual comment for the rule. A comment can be used to refer the
particular rule from scripts
connection-bytes ( integer | integer ) - match packets only if a given amount of bytes has been
transfered through the particular connection
• 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit ( integer | netmask ) - restrict connection limit per address or address block
connection-mark ( name ) - match packets marked via mangle facility with particular connection
mark
connection-type ( ftp | gre | h323 | irc | mms | pptp | quake3 | tftp ) - match packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content ( text ) - the text packets should contain in order to match the rule
dst-address ( IP address | netmask | IP address | IP address ) - specify the address range an IP
packet is destined to. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list ( name ) - match destination address of a packet against user-defined address list
dst-address-type ( unicast | local | broadcast | multicast ) - match destination address type of the IP
packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - match addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit ( integer | time | integer | dst-address | dst-port | src-address | time ) - limit the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order
of appearance):
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
• Mode - the classifier(-s) for packet rate limiting
• Expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port ( integer : 0 ..65535 | integer : 0 ..65535 ) - destination port number or range
Page 451 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.