Here you go. (it may not bee perfect, but works for me)
Upper blocking part (not at top, but high in the filter list)
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list- Send to TARPIT to prewent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT log-prefix=FI_J_TCP-port-test protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet log-prefix=FX_T_TCP-port-test protocol=tcp
add action=drop chain=TARPIT log-prefix=FX_D_TCP-port-test protocol=tcp
add action=drop chain=input in-interface=ether1 log-prefix=FI_D_UDP-port-test protocol=udp src-address-list=FW_Block_unkown_port
Bottom (at the end of filter list)part that adds an IP to access list if no rule above has been used.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or droped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test