Manual:IP/Settings: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 47: Line 47:
{{Mr-arg-table
{{Mr-arg-table
|arg=arp-timeout
|arg=arp-timeout
|type=time
|type=time interval
|default=30s
|default=30s
|desc=Timeout for ARP table entries.
|desc=ARP timeout on all interfaces that use ARP. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used.
}}
}}


Line 83: Line 83:
|default=yes
|default=yes
|desc=Whether to send ICMP redirects. Recommended to be enabled on routers.
|desc=Whether to send ICMP redirects. Recommended to be enabled on routers.
}}
{{Mr-arg-table
|arg=arp-timeout
|type=time interval
|default=30s
|desc=ARP timeout on all interfaces that use ARP. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used.
}}
}}



Revision as of 13:18, 5 December 2013

Applies to RouterOS: v6+

Summary

Sub-menu: /ip settings


IP Settings allows to configure several IP related kernel parameters.



Properties

Property Description
accept-redirects (yes | no; Default: no) Whether to accept ICMP redirect messages. Typically should be enabled on host and disabled on routers.
accept-source-route (yes | no; Default: no) Whether to accept packets with SRR option. Typically should be enabled on router.
allow-fast-path (yes | no; Default: yes) Allows fast path
arp-timeout (time interval; Default: 30s) ARP timeout on all interfaces that use ARP. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used.
ip-forwarding (yes | no; Default: yes) Emable/disable packet forwarding between interfaces. Resets all configuration parameters to defaults according to RFC1812 for routers.
rp_filter (loose | no | strict; Default: no) Disables enables source validation.
  • no - No source validation.
  • strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
  • loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
secure-redirects (yes | no; Default: yes) Accept ICMP redirect messages only for gateways, listed in default gateway list.
send-redirects (yes | no; Default: yes) Whether to send ICMP redirects. Recommended to be enabled on routers.
tcp_syncookies (yes | no; Default: no) Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'. syncookies seriously violate TCP protocol, do not allow o use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you.


[ Top | Back to Content ]