Does the order of the ports knocked matters in Port Knocking?

RouterOS General
1

I have just finished setting up Port Knocking on my MikroTik router and it works.
It works nice: I send a port knock in sequence to three tcp ports, 1000, 2000, 3000 and then connect fine with WinBox.
Now, I have tried to scramble the order of the ports when performing a port knock to: 2000, 3000, 1000, follewig with a connect with Winbox and I can connect!
Do I miss something or the port knocking configured in my /ip firewall filter does not care of the order in which port are knocked?
Can someone please shed light on this?

thank you

I have configured /ip firewall filter as follows:

;;; port knock 1
add action=add-src-to-address-list address-list=port_knocking address-list-timeout=
1m chain=input dst-port=1000 protocol=tcp

;;; port knock 2
add action=add-src-to-address-list address-list=port_knocking address-list-timeout=
1m chain=input dst-port=2000 protocol=tcp

;;; port knock 3
add action=add-src-to-address-list address-list=secure address-list-timeout=1m
chain=input dst-port=3000 protocol=tcp
src-address-list=port_knocking

;;; remote management winbox
add action=accept chain=input dst-port=8291
protocol=tcp src-address-list=secure

;;; *** LAST FILTER!* drop everything else
add action=drop chain=input in-interface=pppoe-out2

2

As I see it you either have to first knock 1000 OR 2000 and if you then knock 3000 you will be granded access.
If you want a specific order, all three should be assigned a dedicated address-list.
so knock 1000, add to list port-knock1
then; knock 2000, when in port-knock1, add to port-knock2
then knock 3000, when in port-knock2, add to secure
then winbox, when in secure, allow access.

3

Now I have configured as for your suggestion:
still mangling the order of knocked ports give me access to Winbox!
Maybe I have mis-translated your pseudo-config ?

/ip firewall filter

add action=add-src-to-address-list address-list=port-knock-1
address-list-timeout=1m chain=input dst-port=1000
protocol=tcp

add action=add-src-to-address-list address-list=port-knock-2
address-list-timeout=1m chain=input dst-port=2000
protocol=tcp src-address-list=port-knock-1

add action=add-src-to-address-list address-list=secure address-list-timeout=1m
chain=input dst-port=3000 protocol=tcp
src-address-list=port-knock-2

add action=accept chain=input comment="remote management winbox" dst-port=8291
protocol=tcp src-address-list=secure

add action=drop chain=input in-interface=pppoe-out2