Firewall RAW
Firewall RAW
Section titled “Firewall RAW”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: drop DDoS traffic before connection tracking.
# Drop blacklisted IPs in RAW (most efficient)/ip firewall raw add chain=prerouting src-address-list=blacklist action=drop
# Bypass connection tracking for specific traffic/ip firewall raw add chain=prerouting src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=notrackVerify:
/ip firewall raw print statsOverview
Section titled “Overview”
What this does: RAW table processes packets BEFORE connection tracking, making it the most efficient place to drop unwanted traffic. It bypasses the connection tracking overhead entirely.
When to use this:
- DDoS mitigation (high-volume attacks)
- Large blacklists (10k+ entries)
- Bypassing connection tracking for trusted traffic
- Reducing CPU load during attacks
RAW vs Filter:
| Aspect | RAW | Filter |
|---|---|---|
| Processing order | Before conntrack | After conntrack |
| CPU efficiency | Higher | Lower |
| Stateful matching | No | Yes |
| Connection tracking | Bypassed | Used |
| TCP RST on reject | No | Yes |
Chains:
prerouting- Incoming packets before routingoutput- Router-generated packets
Prerequisites:
- Understanding of packet flow
- Address lists for blacklist management
Configuration Steps
Section titled “Configuration Steps”Drop Blacklisted Sources
Section titled “Drop Blacklisted Sources”/ip firewall raw add chain=prerouting src-address-list=blacklist action=drop \ comment="Drop blacklisted IPs before conntrack"Bypass Connection Tracking
Section titled “Bypass Connection Tracking”For trusted LAN-to-LAN traffic:
/ip firewall raw add chain=prerouting src-address=192.168.88.0/24 \ dst-address=192.168.88.0/24 action=notrack comment="Notrack LAN traffic"
/ip firewall raw add chain=output src-address=192.168.88.0/24 \ dst-address=192.168.88.0/24 action=notrack comment="Notrack LAN output"Drop Invalid Packets Early
Section titled “Drop Invalid Packets Early”/ip firewall raw add chain=prerouting protocol=tcp tcp-flags=fin,syn action=drop/ip firewall raw add chain=prerouting protocol=tcp tcp-flags=syn,rst action=drop/ip firewall raw add chain=prerouting protocol=tcp tcp-flags=fin,rst action=dropDrop Bogon Sources
Section titled “Drop Bogon Sources”/ip firewall raw add chain=prerouting in-interface-list=WAN \ src-address-list=bogons action=drop comment="Drop bogon sources from WAN"RAW Actions
Section titled “RAW Actions”
| Action | Description |
|---|---|
accept | Accept packet (continues to conntrack) |
drop | Silently drop packet |
notrack | Bypass connection tracking |
jump | Jump to custom chain |
return | Return from custom chain |
When to Use RAW vs Filter
Section titled “When to Use RAW vs Filter”
| Scenario | Use RAW | Use Filter |
|---|---|---|
| DDoS mitigation | Yes | No |
| Large blacklist (10k+) | Yes | Possible |
| Small blacklist | Optional | Yes |
| Need stateful matching | No | Yes |
| Need TCP RST | No | Yes |
| High packet rate | Yes | No |
Verification
Section titled “Verification”# View rules with stats/ip firewall raw print stats
# Check connection tracking status/ip firewall connection tracking print
# Monitor dropped packets/ip firewall raw print stats where action=dropTroubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Notrack traffic not filtered | Filter uses conntrack | Use RAW or accept in filter |
| Stateful rules don’t work | Notrack bypasses conntrack | Remove notrack or use RAW drop |
| NAT not working for traffic | Notrack disables NAT | Don’t notrack NAT-required traffic |
Common Mistakes
- Don’t notrack traffic that needs NAT - NAT requires connection tracking
- Don’t use RAW for stateful filtering - use filter chain instead
- Don’t forget that notrack traffic shows as
untrackedin filter
Related Topics
Section titled “Related Topics”- Firewall Filter - Stateful packet filtering
- Address Lists - Blacklist management
- Connection Tracking - Understanding conntrack