[Ask]. Modify firewall order or add firewall with script.

Harno · Mon Aug 20, 2007 6:26 am

Anybody knows how to change firewall rule order with script.
or
Add new firewall rule in the 1st row with script.

Thanks.

Mon Aug 20, 2007 9:22 am

use move command

Harno · Thu Aug 23, 2007 7:30 am

my Mikrotik Version 2.9.xx

[admin@MikroTik] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; udp
     chain=forward protocol=udp action=jump jump-target=udp 

 1   ;;; icmp
     chain=forward protocol=icmp action=jump jump-target=icmp

i want to add new firewall rule in script

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp comment=tcp place-before=0

will add new rule on top..
that not work on script but work on console...

for move command...
syntax : /ip firewall filter move [number] [destination]
for console :

/ip firewall filter move 1 0

will move rule number 1 to 0
it's work...but for script i have to use "find"...

/ip firewall filter move [/ip firewall filter find comment="icmp"] 0

not work on script...but work on console

the main point is add new rule on top or move existing rule to top...both with script...

tangram · Thu Dec 14, 2017 12:40 pm

This still doesn't work. If you try to change position with move or place-before the script returns no such item or similar error.
Both commands work in winbox, ssh, etc. It's just a problem on running them from scripts.

ADahi · Thu Dec 14, 2017 1:12 pm

This still doesn't work. If you try to change position with move or place-before the script returns no such item or similar error.
Both commands work in winbox, ssh, etc. It's just a problem on running them from scripts.

show us your scripts, maybe we can find where the error

tangram · Thu Dec 14, 2017 3:15 pm

After some VERY frustrating experiences with this task i stumbled upon this:
https://gryzli.info/2015/01/18/mikrotik ... ll-by-cli/

You MUST do /ip firewall filter print before actually moving the rule. Useless to say it's annoying when running batches with dsh or putty.
So you rsc would be:
/ip firewall filter print
/ip firewall filter move [find where comment ="blabla"] destination=32

Or in a single line: '/ip firewall filter print; /ip firewall filter move [find where comment ="blabla"] destination=32'

Thu Dec 14, 2017 3:27 pm

Because it is the wrong way to do operations with items in scripts.
Proper way is to use find command to get internal IDs and work with those IDs.

tangram · Thu Dec 14, 2017 5:26 pm

Because it is the wrong way to do operations with items in scripts.
Proper way is to use find command to get internal IDs and work with those IDs.

What do you mean by internal ID ? Is 32 in the example above internal id ?
If so, then /ip firewall filter move X Y doesn't work either in a script.

Thu Dec 14, 2017 5:28 pm

No 32 is generated number in the buffer by console when you execute print command

Internal IDs are returned when you execute find command and always starts with *

ADahi · Thu Dec 14, 2017 6:14 pm

many thanks @mrz

tangram · Fri Dec 15, 2017 11:38 am

So why does it work when using ssh or winbox/terminal ?

Fri Dec 15, 2017 2:31 pm

Because ssh and telnet is interactive, you always do print before executing command and generated buffer is tied to your login session.

MattiTik · Wed Aug 21, 2019 3:06 am

I stumbled upon this post, while I was researching a similar topic.
I know I'm a bit late here. Regardless, I thought I would leave a reply, for future reference.

If you want to move the "icmp" Rule, directly above the "udp" rule, you have multiple options.

[admin@MikroTik] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; udp
     chain=forward protocol=udp action=jump jump-target=udp 

 1   ;;; icmp
     chain=forward protocol=icmp action=jump jump-target=icmp

I tend to refrain from using "Item Numbers" at all times, since they are NOT static.
Not to mention that there is a Warning, on the "Console" Page, of the MikroTik Manual, stating NOT to use "Item Numbers" in Scripts (https://wiki.mikrotik.com/wiki/Manual:C ... em_Numbers).
As a result, I've began working w/ Internal IDs, exclusively.

Firstly, you can use the "find" command twice, within a "move" command, as follows.

/ip firewall filter move [find comment="icmp"] [find comment="udp"]

Alternatively, you can use the "get" command (w/ the "find" command), to obtain the internal ID of each of the two firewall rules.

/ip firewall filter move ([/ip firewall filter get [find comment="icmp"]]->".id") ([/ip firewall filter get [find comment="udp"]]->".id")

[Ask]. Modify firewall order or add firewall with script.

[Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Re: [Ask]. Modify firewall order or add firewall with script.

Who is online