connection-type ( ftp | gre | h323 | irc | mms | pptp | quake3 | tftp ) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content ( text ) - the text packets should contain in order to match the rule
dst-address ( IP address | netmask | IP address | IP address ) - specifies the address range an IP
packet is destined to. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list ( name ) - matches destination address of a packet against user-defined address list
dst-address-type ( unicast | local | broadcast | multicast ) - matches destination address type of the
IP packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit ( integer | time | integer | dst-address | dst-port | src-address | time ) - limits the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order
of appearance):
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
• Mode - the classifier(-s) for packet rate limiting
• Expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port ( integer : 0 ..65535 | integer : 0 ..65535 ) - destination port number or range
hotspot ( multiple choice: from-client | auth | local-dst | http ) - matches packets received from
clients against various Hot-Spot. All values can be negated
• from-client - true, if a packet comes from HotSpot client
• auth - true, if a packet comes from authenticted client
• local-dst - true, if a packet has local destination IP address
• hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is
enabled or the client has a proxy address configured and this address is equal to the address:port
pair of the IP packet
icmp-options ( integer | integer ) - matches ICMP Type:Code fields
in-interface ( name ) - interface the packet has entered the router through
ipv4-options ( any | loose-source-routing | no-record-route | no-router-alert | no-source-routing |
no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp ) - match ipv4
header options
• any - match packet with at least one of the ipv4 options
• loose-source-routing - match packets with loose source routing option. This option is used to
Page 442 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To Next Page
Loading...