Setup guide
Description
Packets entering the router can be marked for further processing them against the rules of firewall
chains, source or destination NAT rules, as well as for applying queuing to them.
It is also possible to mark the packets associated (including related) with the same connection as the
marked packet (in other words, to mark a connection with all related connections, you need to mark
only one packet belonging to that connection).
You may also want to change the TCP Maximum Segment Size (MSS), to a value which is your
desired MTU value less 40. The MSS can be set only for TCP SYN packets.
Type of Service
Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and
throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay
may be among the slowest. Therefore, the "optimal" path for a packet to follow through the Internet
may depend on the needs of the application and its user.
Because the network itself has no knowledge on how to optimize path choosing for a particular
application or user, the IP protocol provides a facility for upper layer protocols to convey hints to
the Internet Layer about how the tradeoffs should be made for the particular packet. This facility is
called the "Type of Service" facility.
The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service
should be at least as good as it would have been if the host had not used this facility.
The TOS can be one of five types, each of them is an instruction to:
• low-cost - minimize monetary cost
• low-delay - minimize delay
• normal - normal service
• max-reliability - maximize reliability
• max-throughput - maximize throughput
Property Description
action (accept | passthrough; default: accept) - action to undertake if the packet matches the rule,
one of the:
• accept - accept the packet applying the appropriate attributes (marks, MSS), and no more rules
are processed in the list
• passthrough - apply the appropriate attributes (marks, MSS), and go on to the next rule
disabled (yes | no; default: no) - specifies, whether the rule is disabled or not
in-interface (name; default: all) - interface the packet has entered the router through. If the default
value all is used, it may include the local loopback interface for packets originated from the router
src-address (IP address; default: 0.0.0.0/0:0-65535) - source IP address
src-netmask (IP address; default: accept) - source netmask in decimal form x.x.x.x
src-port (integer: 0..65535; default: 0-65535) - source port number or range
• 0 - all ports from 01 to 65535
comment (text; default: "") - a descriptive comment for the rule
dst-address (IP address; default: 0.0.0.0/0:0-65535) - destination IP address
dst-netmask (IP address; default: accept) - destination netmask in decimal form x.x.x.x
dst-port (integer: 0..65535; default: 0-65535) - destination port number or range
• 0 - all ports from 1 to 65535
icmp-options (integer; default: any:any) - matches ICMP Type:Code fields