Manual:IP/Firewall/Raw

< Manual:IP‎| Firewall

Contents
Summary
Chains
Properties
Configuration examples

Summary
Sub-menu: /ip firewall raw

Firewall RAW table allows to selectively bypass or drop packets before connection tracking that way
significantly reducing load on CPU. Tool is very useful for DOS attack mitigation.

RAW table does not have matchers that depend on connection tracking ( like connection-state, layer7 etc.).
If packet is marked to bypass connection tracking packet de-fragmentation will not occur.

Chains
There are two predefined chains in RAW tables:

prerouting - used to process any packet entering the router

output - used to process packets originated from the router and leaving it through one of the
interfaces. Packets passing through the router are not processed against the rules of the output
chain

Packet flow diagrams illustrate how packets are processed in RouterOS.

Properties
Property Description
action (action name; Default: accept) Action to take if packet is matched by the rule:

accept - accept the packet. Packet is not passed to

next firewall rule.
add-dst-to-address-list - add destination address to
address list specified by address-list parameter
add-src-to-address-list - add source address to
address list specified by address-list parameter
 drop - silently drop the packet
jump - jump to the user defined chain specified by
the value of jump-target parameter
log - add a message to the system log containing
following data: in-interface, out-interface, src-mac,
protocol, src-ip:port->dst-ip:port and length of the
packet. After packet is matched it is passed to next
rule in the list, similar as passthrough
notrack - do not send packet to connection tracking.
passthrough - ignore this rule and go to next one
(useful for statistics).
return - passes control back to the chain from where
the jump took place

address-list (string; Default: ) Name of the address list to be used. Applicable if action is
add-dst-to-address-list or add-src-to-address-list
address-list-timeout (none-dynamic | Time interval after which the address will be removed from the
none-static | time; Default: none- address list specified by address-list parameter. Used in
dynamic) conjunction with add-dst-to-address-list or add-src-to-
address-list actions

Value of none-dynamic (00:00:00) will leave the

address in the address list till reboot
Value of none-static will leave the address in the
address list forever and will be included in
configuration export/backup

chain (name; Default: ) Specifies to which chain rule will be added. If the input does
not match the name of an already defined chain, a new chain
will be created.
comment (string; Default: ) Descriptive comment for the rule.
dscp (integer: 0..63; Default: ) Matches DSCP IP header field.
dst-address (IP/netmask | IP range; Matches packets which destination is equal to specified IP or
Default: ) falls into specified IP range.
dst-address-list (name; Default: ) Matches destination address of a packet against user-defined
address list
dst-address-type (unicast | local | Matches destination address type:
broadcast | multicast; Default: )
unicast - IP address used for point to point
transmission
local - if dst-address is assigned to one of router's
interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of
devices

dst-limit (integer[/time],integer,dst- Matches packets until a given rate is exceeded. Rate is defined
address | dst-port | src-address[/time]; as packets per time interval. As opposed to the limit matcher,
Default: ) every flow has it's own limit. Flow is defined by mode
parameter. Parameters are written in following format:
count[/time],burst,mode[/expire].
 count - packet count per time interval per flow to
match
time - specifies the time interval in which the packet
count per flow cannot be exceeded (optional, 1s will
be used if not specified)
burst - initial number of packets per flow to match:
this number gets recharged by one every
time/count, up to this number
mode - this parameter specifies what unique fields
define flow (src-address, dst-address, src-and-dst-
address, dst-address-and-port, addresses-and-dst-
port)
expire - specifies interval after which flow with no
packets will be allowed to be deleted (optional)

dst-port (integer[-integer]: 0..65535; List of destination port numbers or port number ranges
Default: )
fragment (yes|no; Default: ) Matches fragmented packets. First (starting) fragment does not
count. If connection tracking is enabled there will be no
fragments as system automatically assembles every packet
hotspot (auth | from-client | http | local-dst
| to-client; Default: )
icmp-options (integer:integer; Default: ) Matches ICMP type:code fileds
in-bridge-port (name; Default: ) Actual interface the packet has entered the router, if incoming
interface is bridge. Works only if use-ip-firewall is enabled in
bridge settings.
in-interface (name; Default: ) Interface the packet has entered the router
in-interface-list (name; Default: ) Set of interfaces defined in interface list. Works the same as
in-interface

ingress-priority (integer: 0..63; Default: ) Matches ingress priority of the packet. Priority may be derived
from VLAN, WMM or MPLS EXP bit. Read more>>
ipsec-policy (in | out, ipsec | none; Matches the policy used by IPsec. Value is written in following
Default: ) format: direction, policy. Direction is Used to select
whether to match the policy used for decapsulation or the
policy that will be used for encapsulation.
in - valid in the PREROUTING chain
out - valid in the OUTPUT chain

ipsec - matches if the packet is subject to IPsec processing;

none - matches packet that is not subject to IPsec
processing (for example, IpSec transport packet).

For example, if router receives IPsec encapsulated Gre packet,

then rule ipsec-policy=in,ipsec will match Gre packet, but
rule ipsec-policy=in,none will match ESP packet.

ipv4-options (any | loose-source-routing | Matches IPv4 header options.

no-record-route | no-router-alert | no-
source-routing | no-timestamp | none | any - match packet with at least one of the ipv4
record-route | router-alert | strict-source- options
routing | timestamp; Default: )
 loose-source-routing - match packets with loose
source routing option. This option is used to route
the internet datagram based on information supplied
by the source
no-record-route - match packets with no record route
option. This option is used to route the internet
datagram based on information supplied by the
source
no-router-alert - match packets with no router alter
option
no-source-routing - match packets with no source
routing option
no-timestamp - match packets with no timestamp
option
record-route - match packets with record route
option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict
source routing option
timestamp - match packets with timestamp

jump-target (name; Default: ) Name of the target chain to jump to. Applicable only if
action=jump
limit (integer,time,integer; Default: ) Matches packets up to a limited rate (packet rate or bit rate).
Rule using this matcher will match until this limit is reached.
Parameters are written in following format:
count[/time],burst:mode.

count - packet or bit count per time interval to match

time - specifies the time interval in which the packet
or bit count cannot be exceeded (optional, 1s will be
used if not specified)
burst - initial number of packets or bits to match:
this number gets recharged every 10ms so burst
should be at least 1/100 of rate per second
mode - packet or bit mode

log (yes | no; Default: ) Preferred method of logging instead of action=log

log-prefix (string; Default: ) Adds specified text at the beginning of every log message.
Applicable if action=log
nth (integer,integer; Default: ) Matches every nth packet. Read more >>
out-bridge-port (name; Default: ) Actual interface the packet is leaving the router, if outgoing
interface is bridge. Works only if use-ip-firewall is enabled in
bridge settings.
out-interface (; Default: ) Interface the packet is leaving the router
out-interface-list (name; Default: ) Set of interfaces defined in interface list. Works the same as
out-interface

packet-size (integer[-integer]:0..65535; Matches packets of specified size or size range in bytes.

Default: )
per-connection-classifier PCC matcher allows to divide traffic into equal streams with
(ValuesToHash:Denominator/Remainder; ability to keep packets with specific set of options in one
Default: ) particular stream. Read more >>
port (integer[-integer]: 0..65535; Default: Matches if any (source or destination) port matches the
) specified list of ports or port ranges. Applicable only if
protocol is TCP or UDP
priority (integer: 0..63; Default:)
protocol (name or protocol ID; Default: Matches particular IP protocol specified by protocol name or
tcp) number
psd (integer,time,integer,integer; Default: ) Attempts to detect TCP and UDP scans. Parameters are in
following format WeightThreshold, DelayThreshold,
LowPortWeight, HighPortWeight

WeightThreshold - total weight of the latest

TCP/UDP packets with different destination ports
coming from the same host to be treated as port
scan sequence
DelayThreshold - delay for the packets with
different destination ports coming from the same
host to be treated as possible port scan
subsequence
LowPortWeight - weight of the packets with
privileged (<1024) destination port
HighPortWeight - weight of the packet with non-
priviliged destination port

random (integer: 1..99; Default: ) Matches packets randomly with given probability.
src-address (Ip/Netmaks, Ip range; Matches packets which source is equal to specified IP or falls
Default: ) into specified IP range.
src-address-list (name; Default: ) Matches source address of a packet against user-defined
address list
src-address-type (unicast | local |
broadcast | multicast; Default: ) Matches source address type:

unicast - IP address used for point to point

transmission
local - if address is assigned to one of router's
interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of
devices

src-port (integer[-integer]: 0..65535; List of source ports and ranges of source ports. Applicable only
Default: ) if protocol is TCP or UDP.
src-mac-address (MAC address; Default: ) Matches source MAC address of the packet
tcp-flags (ack | cwr | ece | fin | psh | rst | Matches specified TCP flags
syn | urg; Default: )
ack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
 rst - drop connection
syn - new connection
urg - urgent data

tcp-mss (integer[-integer]: 0..65535; Matches TCP MSS value of an IP packet

Default: )
(time-time,sat | fri | thu | wed | tue |
time Allows to create filter based on the packets' arrival time and
mon | sun; Default: ) date or, for locally generated packets, departure time and date
tls-host (string; Default: ) Allows to match traffic based on TLS hostname. Accepts GLOB
syntax (https://en.wikipedia.org/wiki/Glob_(programming)) for
wildcard matching. Note that matcher will not be able to match
hostname if TLS handshake frame is fragmented into multiple
TCP segments (packets).
ttl (integer: 0..255; Default: ) Matches packets TTL value

Configuration examples
[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:IP/Firewall/Raw&oldid=33227"

This page was last edited on 15 May 2019, at 09:06.