export one firewall address list out of many

Kelalatir · December 13, 2022, 11:26pm

Greetings,
I have a router which has 12 address lists ranging in size from about 10 entries to over 50,000 entries. I would like to export one of the address lists, which has about 1100 entries, so that I can import it into another router. Looking into the help on the export command, I don’t see a way to only export a specific address list without intermixing the other 11 address lists in the data. Is it possible to export only one list? If so, what is the command?
Thank you.

rextended · December 13, 2022, 11:31pm

Is not possible, you can only export all

Kelalatir · December 13, 2022, 11:37pm

Thank you for the quick reply. I guess I’ll have to fix this with a text editor after the export.

rextended · December 13, 2022, 11:52pm

¯_(ツ)_/¯

anav · December 14, 2022, 1:50am

Why would you attempt to maintain a list of that many entries…

rextended · December 14, 2022, 10:03am

After the export?
Both on linux and windows (with powershell) you can automate the export of only wanted address list.

Example for powershell
$filea = “exportofalladdresslists.rsc”
$fileb = “onlythislist.rsc”

$viz = [IO.File]::ReadAllText($filea)
$viz = $viz -replace "\", " "
$viz = $viz -replace "\\r\n ", “”
$viz | Set-Content -NoNewline $filea
Set-Content $fileb “/ip firewall address-list” -encoding ASCII
gc $filea | % {if($ -match “list=my_selected_address_list”){Add-Content $fileb $_ -encoding ASCII}}

Kelalatir · December 14, 2022, 8:18pm

@anav The two largest firewall lists are both security related. The second largest is a list compiled by a security partner of ours of over 1100 IP addresses to blacklist due to them being known sources of attacks from bad actors. The largest list is a list of all IPv4 address ranges known to be assigned to organizations in the United States. This list is roughly 50,000 entries. Since my organization does business almost exclusively in the United States, and because we don’t have in-house personnel for 24/7 protection, we use a firewall rule that says block all traffic that is not on that address list while the office is closed. This effectively blocks 90% of potential attack vectors while we aren’t around to respond. We tried doing the same for IPv6 address, but the address list ended up being close to 600,000 entries, and the router started lagging. We whitelisted Mikrotik’s IPs so we can update our routers after hours, and a few other sites as we need them.

@rextended Thanks for that script! Sadly, I didn’t see your post until after I spent an hour editing the list. I’m not very experienced with scripting, so it didn’t occur to me to try that method.

msatter · December 14, 2022, 9:05pm

RouteOS can perfectly fine export one address-list out of many with a script, on it’s own. And import them also again.

You just have to put the effort into it to write the script.

Bye

rextended · December 14, 2022, 10:10pm

If you know a way to export selected address-list without all the others, with RouterOS instructions, please tell us all...

I can think only to

/ip firewall address-list print file=onlythislist where list=my_selected_address_list

the onlythislist.txt file must be opened later one piece at time

dec/14/2022 23:18:24 by RouterOS 6.48.6

software id = DEAD-BEEF

Flags: X - disabled, D - dynamic

LIST ADDRESS CREATION-TIME

0 ;;; SBL256894
AAA_ip_DROP 1.10.16.0/20 feb/01/2022 12:57:20
1 ;;; SBL434604
AAA_ip_DROP 1.19.0.0/16 feb/01/2022 12:57:20
2 ;;; SBL286275
AAA_ip_DROP 1.32.128.0/18 feb/01/2022 12:57:20
3 ;;; SBL459831
AAA_ip_DROP 2.56.192.0/22 feb/01/2022 12:57:20
4 ;;; SBL538946
AAA_ip_DROP 2.57.232.0/23 feb/01/2022 12:57:20
5 ;;; SBL538947
AAA_ip_DROP 2.57.234.0/23 feb/01/2022 12:57:20
6 ;;; SBL494020
AAA_ip_DROP 2.58.176.0/23 feb/01/2022 12:57:20
...
And on receiving RouterBOARD must be reconstructed the "add" instruction from various pieces of info on this file.

Is faster use powershell... (or the API for those who know how to use them)

msatter · December 16, 2022, 10:11am

A little teaser of the options available and it is a complete eco system that produces address-list in RSC format that is standalone and has the script and list integrated in one file. Ideal for distribution. The script is over 200 lines including many comments.

:set $helpText "
Backup function for creating a address-list file that can then be directly imported in\r
RouterOS again. You can select one address-list at a time and a file can only contain one address-list.\r
\nThe following parameters are available:\r
verbose -- displays in case of an error in the stated parameters.\r
skiplog -- no logging is done in case of an error in the stated parameters.\r
eraseNoDyn -- on restore do not erase any present dynamic entries without a time-out.\r
keepTimeout -- do not change the current time-outs in the address-list. Conflicts if a newTimeout is stated in the parameters for this function.\r
newTimeout -- replace current time-outs by the newly given time-out.\r
noGlobalTimeout -- is used to have a simpler restore script.\r
setGlobalTime -- is used to write a smaller to restore address-list by omitting separate times-outs for every address-list entry.\r
help -- when used with an parameter in front then information about that is displayed. \"-help\" alone will display all the parameters.\r
version -- displays the version of this script.\r
"; # <-- has to be at the utmost left to have no extra spaces in the output or incomplete parameters are shown.

Bye

pe1chl · December 16, 2022, 12:53pm

Those Powershell scripts may be simple for experienced Powershell users, but for me a “grep” command is a lot simpler.
Use /ip firewall address-list export terse file=name and filter what you need using grep, find, or whatever file string search.