Sub-menu: /ip firewall raw
/ip firewall raw
Firewall RAW table allows to selectively bypass or drop packets before connection tracking that way significantly reducing load on CPU. Tool is very useful for DOS attack mitigation.
RAW table does not have matchers that depend on connection tracking ( like connection-state, layer7 etc.).
If packet is marked to bypass connection tracking packet de-fragmentation will not occur.
For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
WeightThreshold, DelayThreshold, LopPortWeight, HighPortWeight
Matches source address type: