Anybody knows how to change firewall rule order with script.
or
Add new firewall rule in the 1st row with script.
Thanks.
use move command
my Mikrotik Version 2.9.xx
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; udp
chain=forward protocol=udp action=jump jump-target=udp
1 ;;; icmp
chain=forward protocol=icmp action=jump jump-target=icmp
i want to add new firewall rule in script
/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp comment=tcp place-before=0
will add new rule on top..
that not work on script but work on console…
for move command…
syntax : /ip firewall filter move [number] [destination]
for console :
/ip firewall filter move 1 0
will move rule number 1 to 0
it’s work…but for script i have to use “find”…
/ip firewall filter move [/ip firewall filter find comment="icmp"] 0
not work on script…but work on console
the main point is add new rule on top or move existing rule to top…both with script…
This still doesn’t work. If you try to change position with move or place-before the script returns no such item or similar error.
Both commands work in winbox, ssh, etc. It’s just a problem on running them from scripts.
show us your scripts, maybe we can find where the error 
After some VERY frustrating experiences with this task i stumbled upon this:
https://gryzli.info/2015/01/18/mikrotik-managing-firewall-by-cli/
You MUST do /ip firewall filter print before actually moving the rule. Useless to say it’s annoying when running batches with dsh or putty.
So you rsc would be:
/ip firewall filter print
/ip firewall filter move [find where comment =“blabla”] destination=32
Or in a single line: ‘/ip firewall filter print; /ip firewall filter move [find where comment =“blabla”] destination=32’
Because it is the wrong way to do operations with items in scripts.
Proper way is to use find command to get internal IDs and work with those IDs.
What do you mean by internal ID ? Is 32 in the example above internal id ?
If so, then /ip firewall filter move X Y doesn’t work either in a script.
No 32 is generated number in the buffer by console when you execute print command
Internal IDs are returned when you execute find command and always starts with *
many thanks @mrz
So why does it work when using ssh or winbox/terminal ?
Because ssh and telnet is interactive, you always do print before executing command and generated buffer is tied to your login session.
I stumbled upon this post, while I was researching a similar topic.
I know I’m a bit late here. Regardless, I thought I would leave a reply, for future reference.
If you want to move the “icmp” Rule, directly above the “udp” rule, you have multiple options.
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; udp
chain=forward protocol=udp action=jump jump-target=udp
1 ;;; icmp
chain=forward protocol=icmp action=jump jump-target=icmp
I tend to refrain from using “Item Numbers” at all times, since they are NOT static.
Not to mention that there is a Warning, on the “Console” Page, of the MikroTik Manual, stating NOT to use “Item Numbers” in Scripts (https://wiki.mikrotik.com/wiki/Manual:Console#Item_Numbers).
As a result, I’ve began working w/ Internal IDs, exclusively.
Firstly, you can use the “find” command twice, within a “move” command, as follows.
/ip firewall filter move [find comment="icmp"] [find comment="udp"]
Alternatively, you can use the “get” command (w/ the “find” command), to obtain the internal ID of each of the two firewall rules.
/ip firewall filter move ([/ip firewall filter get [find comment="icmp"]]->".id") ([/ip firewall filter get [find comment="udp"]]->".id")