I am trying to come up with a script, that adds 2 new filter rules, and after that makes sure the "drop" rule is moved to the end.
In this script I assume that what ever is at the end of the filter list BEFORE I add my rules, must be the drop rule. So I determine the index of that rule first.
/ip firewall filter
:global dropruleindex ([:len [/ip firewall filter find]]-1)
add action=accept chain=input comment=VPN disabled=no protocol=ipsec-esp
add action=accept chain=input comment=VPN disabled=no protocol=udp src-port=500
move $dropruleindex
However, it appears that the move command ignores the content of the $dropruleindex variable, even though that variables contains the correct index-number. What am I doing wrong? Any other way to achieve this?
Re: Move a firewall rule to the end (V4.5)
I do not add or remove the rules. I enable and disable them with a script. Would that be good for you also?
Re: Move a firewall rule to the end (V4.5)
Thanks for the reply! That depends how you do it, maybe that holds a hint for me how it could be done in a different way than the approach I am currently using.
So yes please, post a sample of your script
So yes please, post a sample of your script
Re: Move a firewall rule to the end (V4.5)
I add a comment to each rule I want enabled or disabled. In this case, I would add the comment "test" to each rule I want to enable/disable.
To enable them:
To disable them:
To enable them:
Code: Select all
:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
/ip firewall filter enable $i
}Code: Select all
:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
/ip firewall filter disable $i
}
Re: Move a firewall rule to the end (V4.5)
or just
Code: Select all
/ip firewall filter disable [find comment="test"]Re: Move a firewall rule to the end (V4.5)
Thanks for the replies. I know the "trick" with setting a comment for the rules, and reference them by their comment name. That works just fine.
However, my goal is to come up with a script that adds those rules right after the first time (self) configuration of the router. At this point all the comments for the filter rules are "default configuration". I want to avoid having to manually set a comment named "drop" for the drop rule, before I run my script.
I am just a little surprised that the move command does not work when using variables. Presume the "drop" rule would be #3 in the list:
This WORKS:
This does NOT work:
However, my goal is to come up with a script that adds those rules right after the first time (self) configuration of the router. At this point all the comments for the filter rules are "default configuration". I want to avoid having to manually set a comment named "drop" for the drop rule, before I run my script.
I am just a little surprised that the move command does not work when using variables. Presume the "drop" rule would be #3 in the list:
This WORKS:
Code: Select all
### this will move number 3 to the end of the filter list
/ip firewall filter move 3
Code: Select all
:global index 3
/ip firewall filter move $index
Re: Move a firewall rule to the end (V4.5)
I have no experience with adding them, but it may be the move parameter.
Have you tried adding the rule with the "place-before=X" parameter?
X is the line number you want the rule above in the list.
No promises. I haven't tried it!
Have you tried adding the rule with the "place-before=X" parameter?
X is the line number you want the rule above in the list.
No promises. I haven't tried it!
Re: Move a firewall rule to the end (V4.5)
In 4.5 move uses the "numbers" and "destination" parameters. But anyway, that does not work either.
However, it gets even more weird. For the "destination" parameter passing a variable seems to work! It's just that for the "numbers" parameter passing a variable does not work. Btw, with "not work" I mean it fails with "no such item".
This works:
This does not work:
However, it gets even more weird. For the "destination" parameter passing a variable seems to work! It's just that for the "numbers" parameter passing a variable does not work. Btw, with "not work" I mean it fails with "no such item".
This works:
Code: Select all
move numbers=5 destination=$a
Code: Select all
move numbers=$a destination=5
Re: Move a firewall rule to the end (V4.5)
It looks like move works with the internal .id and numeric only values (at least from my testing). This worked for me on v4.5:
Your code revised:
Possibly a better approach: You could simply move all 'action=drop' rules to the bottom
The below script will work whether it finds 0, 1, or more drop rules, it will move each of them to the last position in the filter table.
Your code revised:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="VPN1" disabled=yes protocol=ipsec-esp
add action=accept chain=input comment="VPN2" disabled=yes protocol=udp src-port=500
:local fRules
# get current rule set
:set fRules [/ip firewall filter find]
# since we added two rules, move the last two rules up two positions (before last rule)
move [:pick $fRules ([:len $fRules] - 1)] [:tonum ([:len $fRules] - 3)]
move [:pick $fRules ([:len $fRules] - 2)] [:tonum ([:len $fRules] - 3)]
The below script will work whether it finds 0, 1, or more drop rules, it will move each of them to the last position in the filter table.
Code: Select all
:local dropRules
:local allRules
/ip firewall filter
:set dropRules [find action="drop"]
:foreach f in=$dropRules do={
:set allRules [/ip firewall filter find]
# Insert our rule just before bottom rule
move [:toid $f] [:tonum ([:len $allRules] - 2)]
:set allRules [/ip firewall filter find]
# swap our rule with bottom rule (making our rule last)
move [:toid [:pick $allRules ([:len $allRules] - 1)]] [:tonum ([:len $allRules] - 2)]
}
Re: Move a firewall rule to the end (V4.5)
Thank you for your very detailed answer! Both your suggestions work.
Then I gave this a try:And it worked also...
Then I gave this a try:
Code: Select all
move [find action="drop"]
Re: Move a firewall rule to the end (V4.5)
How do I just insert rules between others?
/ip firewall filter
add action=accept chain=input comment="Netgear Switch access" disabled=no src-address-list="Netgear Switch Access"
add action=accept chain=input comment="default configuration" disabled=no dst-port=123 protocol=udp
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.192.0/20 <- insert this line here???
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.195.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.198.0/24
Also, If this works,
move [find action="drop"]
Shouldnt this work?
remove [find src-address="216.231.198.0/24"]
/ip firewall filter
add action=accept chain=input comment="Netgear Switch access" disabled=no src-address-list="Netgear Switch Access"
add action=accept chain=input comment="default configuration" disabled=no dst-port=123 protocol=udp
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.192.0/20 <- insert this line here???
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.195.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.198.0/24
Also, If this works,
move [find action="drop"]
Shouldnt this work?
remove [find src-address="216.231.198.0/24"]
Re: Move a firewall rule to the end (V4.5)
use 'print', then 'add action=accept chain=input bla-bla-bla place-before=N', where N is the number of the rule one from the bottomHow do I just insert rules between others?
<...> <- insert this line here???
sure it worksIf this works,
move [find action="drop"]
Shouldnt this work?
remove [find src-address="216.231.198.0/24"]
Who is online
Users browsing this forum: No registered users and 22 guests