Well, do you want to block connections that are originating from the IPs listened in the IPSet or do you want to block connections going out to the IPs listened in the IPSet?
For the first case, I would use src and for latter one I would use dest.
Assuming the first case:
First create a file containing your IP and port combinations:
I use my attached USB Drive here:
/mnt/sda1/myipset.ipset
(file name and extension doesn't matter)
Content:
91.234.168.83,tcp:56489
165.58.211.41,udp:12313
192.168.3.5,tcp:13216
195.56.212.35,udp:13235
Add an empty like at the bottom otherwise the last line doesn't get properly parsed.
When you don't specify a protocol like tcp,udp, ipset will default to tcp.
For example when you use:
91.234.168.83,56489
gets interpreted as:
91.234.168.83,tcp:56489
To automatically load the IPset at firewall (re)start:
/etc/config/firewall
config ipset
option name 'MyIPSet'
option storage 'hash'
option match 'src_ip src_port'
option loadfile '/mnt/sda1/myipset.ipset'
Change MyIPSet to any name you want.
(But I think white spaces and some special chars are unsupported)
option loadfile
needs to be the path (and filename) from the first step.
To block connections from WAN to your LAN use the following rule:
config rule
option name 'WAN-FORWARD-LAN-IPSET-MYIPSET-DROP'
option family 'ipv4'
option proto '*'
option src 'wan'
option dest 'lan'
option ipset 'MyIPSet'
option target 'DROP'
Coming back to your question about src and dest.
To match the opposite way.
Blocking connections from your LAN To WAN:
You can either change src_ip src_port
to dest_ip dest_port
and change the above rule to:
config rule
option name 'LAN-FORWARD-WAN-IPSET-MYIPSET-DROP'
option family 'ipv4'
option proto '*'
option src 'lan'
option dest 'wan'
option ipset 'MyIPSet'
option target 'DROP'
OR
leave the config ipset section as it is and only change (or add) the firewall rule as follows:
config rule
option name 'LAN-FORWARD-WAN-IPSET-MYIPSET-DROP'
option family 'ipv4'
option proto '*'
option src 'lan'
option dest 'wan'
option ipset 'MyIPSet dest dest'
option target 'DROP'
If you want to block connections to your router (not your internal network):
Use following rule:
config rule
option name 'WAN-INPUT-IPSET-MYIPSET-DROP'
option family 'ipv4'
option proto '*'
option src 'wan'
option ipset 'MyIPSet'
option target 'DROP'
But by looking at your IP/Port list, the port numbers look like random port numbers to me.
Maybe it makes more sense to only block by IP?
For this purpose you maybe want to have a look at the banip package it has support for a custom blacklist.
How large is your list?