Home > MikroTik > Router > MikroTik Router OS V3.0 User Manual

MikroTik Router OS V3.0 User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual MikroTik Router OS V3.0 User Manual. The MikroTik manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 321

    Page 321 add chain=forward dst-address=127.0.0.0/8 action=dropadd chain=forward src-address=224.0.0.0/3 action=dropadd chain=forward dst-address=224.0.0.0/3 action=drop   4       add chain=forward protocol=tcp action=jump jump-target=tcpadd chain=forward protocol=udp action=jump jump-target=udpadd chain=forward protocol=icmp action=jump jump-target=icmp 3               add chain=tcp protocol=tcp dst-port=69 action=drop \comment=deny TFTPadd chain=tcp protocol=tcp... 
    add chain=forward dst-address=127.0.0.0/8 action=dropadd chain=forward src-address=224.0.0.0/3 action=dropadd chain=forward dst-address=224.0.0.0/3 action=drop
	 4 
 
 	

add chain=forward protocol=tcp action=jump jump-target=tcpadd chain=forward protocol=udp action=jump jump-target=udpadd chain=forward protocol=icmp action=jump jump-target=icmp
3	
 
 	
 	
 
  
 
 
 

add chain=tcp protocol=tcp dst-port=69 action=drop \comment=deny TFTPadd chain=tcp protocol=tcp...

    Page 322

    Page 322 Address Lists Document revision 2.8 (February 11, 2008, 4:14 GMT) This document applies to MikroTik RouterOS V3.0 Table of Contents TableofContents Summary Specifications AddressLists Description PropertyDescription Example General Information Summary #          *$           Specifications Packages required:system License required:level1 Home menu level:/ip firewall address-list Standards and Technologies:IP Hardware usage:Not... 
    Address Lists
Document revision 2.8 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
AddressLists
Description
PropertyDescription
Example
General Information
Summary
#	 	 
 	 
 	
 	 
  *$ 	 
    	
 	


Specifications
Packages required:system
License required:level1
Home menu level:/ip firewall address-list
Standards and Technologies:IP
Hardware usage:Not...

    Page 323

    Page 323                       -: &                +                !&%+%21%!))2&&   [admin@MikroTik] > /ip firewall address-list add list=drop_trafficaddress=192.0.34.166/32[admin@MikroTik] > /ip firewall address-list printFlags: X - disabled, D - dynamic# LIST ADDRESS0 drop_traffic 192.0.34.166[admin@MikroTik] > /ip firewall mangle add... 
     
 	 	
 	
 	 
   

 	 



 
 
 -: &


 
 
 

	
  	 
 
	  
 +

	 
 	 
  

	
 
 
	
 

 
!&%+%21%!))2&&	
[admin@MikroTik] > /ip firewall address-list add list=drop_trafficaddress=192.0.34.166/32[admin@MikroTik] > /ip firewall address-list printFlags: X - disabled, D - dynamic# LIST ADDRESS0 drop_traffic 192.0.34.166[admin@MikroTik] > /ip firewall mangle add...

    Page 324

    Page 324 Mangle Document revision .NaN (February 11, 2008, 4:14 GMT) This document applies to MikroTik RouterOS V3.0 Table of Contents TableofContents Summary Specifications Mangle Description PropertyDescription Notes Description Peer-to-PeerTrafficMarking MarkbyMACaddress ChangeMSS General Information Summary             *$               (                  +                ... 
    Mangle
Document revision .NaN (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Mangle
Description
PropertyDescription
Notes
Description
Peer-to-PeerTrafficMarking
MarkbyMACaddress
ChangeMSS
General Information
Summary
 	
 	
 	 
 	 *$ 	
 
 	 	  	 	   (	 


 	
 
 

 
 	
 +

	 
 	
 	
   
   ...

    Page 325

    Page 325 action(accept|add-dst-to-address-list|add-src-to-address-list|change-dscp|change-mss| change-ttl|jump|log|mark-connection|mark-packet|mark-routing|passthrough|return| set-priority|strip-ipv4-options; default:accept) - action to undertake if the packet matches the rule •accept- accept the packet. No action, i.e., the packet is passed through and no more rules are applied to it •add-dst-to-address-list- add destination address of an IP packet to the address list specified by address-list parameter... 
    action(accept|add-dst-to-address-list|add-src-to-address-list|change-dscp|change-mss|
change-ttl|jump|log|mark-connection|mark-packet|mark-routing|passthrough|return|
set-priority|strip-ipv4-options; default:accept) - action to undertake if the packet matches the rule
•accept- accept the packet. No action, i.e., the packet is passed through and no more rules are
applied to it
•add-dst-to-address-list- add destination address of an IP packet to the address list specified by
address-list parameter...

    Page 326

    Page 326 transfered through the particular connection •0- means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit(integernetmask) - restrict connection limit per address or address block connection-mark(name) - match packets marked via mangle facility with particular connection mark connection-state(estabilished|invalid|new|related) - interprets the connection tracking analysis data for a... 
    transfered through the particular connection
•0- means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit(integernetmask) - restrict connection limit per address or address block
connection-mark(name) - match packets marked via mangle facility with particular connection
mark
connection-state(estabilished|invalid|new|related) - interprets the connection tracking analysis
data for a...

    Page 327

    Page 327 •expire- specifies interval after which recorded IP addresses / ports will be deleted dst-port(integer: 0..65535integer: 0..65535) - destination port number or range fragment(yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet hotspot(multiple choice: auth|from-client|http|local-dst|to-client) - matches packets... 
    •expire- specifies interval after which recorded IP addresses / ports will be deleted
dst-port(integer: 0..65535integer: 0..65535) - destination port number or range
fragment(yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments
as the system automatically assembles every packet
hotspot(multiple choice: auth|from-client|http|local-dst|to-client) - matches packets...

    Page 328

    Page 328 •count- maximum average packet rate, measured in packets per second (pps), unless followed by time option •time- specify the time interval over which the packet rate is measured •burst- number of packets to match in a burst log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log new-connection-mark(name) - specify the new value of the connection mark to be used in conjunction with action=mark-connection new-dscp(integer: 0..63) -... 
    •count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specify the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
new-connection-mark(name) - specify the new value of the connection mark to be used in
conjunction with action=mark-connection
new-dscp(integer: 0..63) -...

    Page 329

    Page 329 packet-size(integer: 0..65535integer: 0..65535) - matches packet of the specified size or size range in bytes •min- specifies lower boundary of the size range or a standalone value •max- specifies upper boundary of the size range passthrough(yes | no; default:yes) - whether to let the packet to pass further (like action passthrough) after marking it with a given mark (property only valid if action is mark packet, connection or routing mark) port(port) - matches if any (source or destination) port matches... 
    packet-size(integer: 0..65535integer: 0..65535) - matches packet of the specified size or size range
in bytes
•min- specifies lower boundary of the size range or a standalone value
•max- specifies upper boundary of the size range
passthrough(yes | no; default:yes) - whether to let the packet to pass further (like action
passthrough) after marking it with a given mark (property only valid if action is mark packet,
connection or routing mark)
port(port) - matches if any (source or destination) port matches...

    Page 330

    Page 330 •ece- ECN-echo flag (explicit congestion notification) •fin- close connection •psh- push function •rst- drop connection •syn- new connection •urg- urgent data tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets arrival time and date or, for locally generated packets, departure time and date Notes *                         7         ... 
    •ece- ECN-echo flag (explicit congestion notification)
•fin- close connection
•psh- push function
•rst- drop connection
•syn- new connection
•urg- urgent data
tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet
time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets
arrival time and date or, for locally generated packets, departure time and date
Notes
*

	  	
 
    	

 
 	 	 	
 



  

7	 	
 
 	


	...
    Start reading MikroTik Router OS V3.0 User Manual
    All MikroTik manuals