200
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Property Description
action
(accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject |
return | tarpit; default:
accept
) - action to undertake if the packet matches the rule
accept
- accept the packet. No action is taken, i.e. the packet is passed through and no more rules are
applied to it
add-dst-to-address-list
- adds destination address of an IP packet to the address list specified by
address-list
parameter
add-src-to-address-list
- adds source address of an IP packet to the address list specified by
address-
list
parameter
drop
- silently drop the packet (without sending the ICMP reject message)
jump
- jump to the chain specified by the value of the
jump-target
parameter
log
- each match with this action will add a message to the system log
passthrough
- ignores this rule and goes on to the next one
reject
- reject the packet and send an ICMP reject message
return
- passes control back to the chain from where the jump took place
tarpit
- captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN
packet)
address-list
(
name
) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list
or
action=add-src-to-address-list
actions. These address lists could
be later used for packet matching
address-list-timeout
(
time
; default:
00:00:00
) - time interval after which the address will be removed
from the address list specified by
address-list
parameter. Used in conjunction with
add-dst-to-
address-list
or
add-src-to-address-list
actions
00:00:00
- leave the address in the address list forever
chain
(forward | input | output |
name
) - specifies the chain to put a particular rule into. As the different
traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the
input does not match the name of an already defined chain, a new chain will be created
comment
(
text
) - a descriptive comment for the rule. A comment can be used to identify rules form
scripts
connection-bytes
(
integer
-
integer
) - matches packets only if a given amount of bytes has been transfered
through the particular connection
0
- means infinity,
exempli gratia
:
connection-bytes=2000000-0
means that the rule matches if more
than 2MB has been transfered through the relevant connection
connection-limit
(
integer
,
netmask
) - restrict connection limit per address or address block
connection-mark
(
name
) - matches packets marked via mangle facility with particular connection mark
connection-state
(estabilished | invalid | new | related) - interprets the connection tracking analysis data
for a particular packet
estabilished
- a packet which belongs to an existing connection,
exempli gratia
a reply packet or a packet
which belongs to already replied connection
invalid
- a packet which could not be identified for some reason. This includes out of memory condition
and ICMP errors which do not correspond to any known connection. It is generally advised to drop these
packets
new
- a packet which begins a new TCP connection
related
- a packet which is related to, but not part of an existing connection, such as ICMP errors or a
packet which begins FTP data connection (the later requires enabled FTP connection tracking helper
under
/ip firewall service-port
)
connection-type
(ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection helper
must be enabled under
/ip firewall service-port
content
(
text
) - the text packets should contain in order to match the rule
dscp
(
integer
: 0..63) - DSCP (ex-ToS) IP header field value
dst-address
(
IP address
/
netmask
|
IP address
-
IP address
) - specifies the address range an IP packet is
destined to. Note that console converts entered
address/netmask
value to a valid network address,
i.e.:
1.1.1.1/24
is converted to
1.1.1.0/24
dst-address-list
(
name
) - matches destination address of a packet against user-defined address list
dst-address-type
(unicast | local | broadcast | multicast) - matches destination address type of the IP
packet, one of the: