moving firewall rules by command

brychtak · Wed Sep 27, 2006 12:02 pm

Hello, I have mikrotik in hotspot mode and i have problem with firewall rules. Hotspot firewall rules are dynamically added but i have a static rules as well. Everything works OK until reboot

After reboot first rules are dynamic a last ones are my static which is bad. So i need to move static rules from bottom to top always after reboot. The command is (for example): ip firewall filter move 21 0. but what abou if on line 21 will not be my static rule but other one? I would like to have command something like this>
if firewall rule contains dstnat, source addres=192.168.91.160/27 protocol=6 (tcp) destination port=53 than move this rule to position 1... Could you help me with this script? litlle bit tough one for me. thank you in advance. Radek

brychtak · Mon Oct 02, 2006 6:14 pm

no idea?

that's bad... ip firewall nat move 23 1 works ok but sometimes the rule is on line 22 sometimes 24 after reboot...

Eugene · Tue Oct 03, 2006 2:04 pm

heh, nothing easier than that:
assign both rules a comment, say "rule1" and "rule2".
Then move arrange them with the following command:
/ip fire filter move rule1 rule2

Edit:

There is also "find" command:

/ip fire filter move [/ip fire filter find dst-addres=10.0.0.0/8] rule1

brychtak · Thu Oct 05, 2006 10:46 am

yes it works, thank you. but if you want to move rule by this command you have to do a command "print all without-paging" before. if you paste these commands into run-scripts (or scheduler - doesn't matter) it won't work

in new terminal no problem or telnet.

ip firewall filter print all without-paging
ip firewall filter move [/ip firewall filter find comment=0000] 0
ip firewall filter move [/ip firewall filter find comment=0001] 1

ip firewall nat print all without-paging
ip firewall nat move [/ip firewall nat find comment=0000] 0
ip firewall nat move [/ip firewall nat find comment=0001] 1

I need these commands running every reboot because my firewall rules are on the bottom after reboot which is bad...

Radek

heh, nothing easier than that:
assign both rules a comment, say "rule1" and "rule2".
Then move arrange them with the following command:
/ip fire filter move rule1 rule2

Edit:

There is also "find" command:

/ip fire filter move [/ip fire filter find dst-addres=10.0.0.0/8] rule1

olmi · Thu Apr 26, 2007 9:04 pm

Under the given instruction for me does not work. I do as all it is written. Some attempts did. Where a mistake? Help!
(Comments has added rule1 rule2)
1. [admin@MikroTik] > ip firewall nat move rule2 rule1
no items or no numbers defined

2.[admin@MikroTik] > ip fire filter move [/ip firewall filter comment=rule1] [/ip firewall filter comment=rule2]
invalid item number

Prompt how correctly to make a script which will mix chains.

I am sorry for my English.
In advance thanks.

mrz · Thu Apr 26, 2007 9:51 pm

1. only numbers can be specified. For example if you want to move rule 3 to first position:
/ip firewall nat move 3 0

2. use find command
/ip fire filter move [/ip firewall filter find comment=rule1] [/ip firewall filter find comment=rule2]

olmi · Fri Apr 27, 2007 3:27 pm

[admin@MikroTik] > /ip fire filter move [/ip firewall filter find comment=rule1
] [/ip firewall filter find comment=rule2]

no items or no numbers defined

Ehman · Thu Oct 03, 2013 6:25 pm

Now I'm sitting with the same problem!, all the methods in here are dodgy...I need to move 10 rules on the top, I had a power failure and all my top rules on my hotspot moved down causing me to have critical access blocked from clients

how can I fix this with a script every time my unit boots

Ehman · Thu Oct 03, 2013 6:30 pm

I've got 10 of them example:

/ip firewall filter move [find comment='rule0"] 0
/ip firewall filter move [find comment='rule1"] 0
/ip firewall filter move [find comment='rule2"] 0
/ip firewall filter move [find comment='rule3"] 0
/ip firewall filter move [find comment='rule4"] 0
/ip firewall filter move [find comment='rule5"] 0
/ip firewall filter move [find comment='rule6"] 0
/ip firewall filter move [find comment='rule7"] 0
/ip firewall filter move [find comment='rule8"] 0
/ip firewall filter move [find comment='rule9"] 0

If I paste that in my terminal, then its does the job, but if I make a script out of that code, its a mess sometimes... it makes no sense

bug in ros?

I'm running v6.3

mrz · Fri Oct 04, 2013 10:43 am

read my post
http://forum.mikrotik.com/viewtopic.php?p=72336#p72336

Ehman · Fri Oct 04, 2013 12:02 pm

read my post
http://forum.mikrotik.com/viewtopic.php?p=72336#p72336

Hi, yea.. I've been checking your post out, but its not working

1. only numbers can be specified. For example if you want to move rule 3 to first position:
/ip firewall nat move 3 0

2. use find command
/ip fire filter move [/ip firewall filter find comment=rule1] [/ip firewall filter find comment=rule2]

no luck, the first one might work, but I've got 73 rules, and don't know where the rules are changing to and it not to say that it will change every time I reboot, so I cant make a startup schedule, it happened once on a dodgy power failure... I were unable to replicate the scenario ever since, if it reboots.. no issue... if I unplug the power.. no issue...sooo mikrotik weird

I use find comment on my rules to move to 0, but it still doesn't do it in the right order like in script and if I post the exact! same code in terminal it does a different job, I would say, it works better, but seconds later, it doesn't work at all ...its just plain dodgy, that's the only way to describe it and doesn't do the job right, so I'm going to BUY a ups and hope for the best

moving firewall rules by command

moving firewall rules by command

Re: moving firewall rules by command

Re: moving firewall rules by command

Re: moving firewall rules by command

Re: moving firewall rules by command