Site Tools


Scripting Access Restrictions

Access Restriction rules are coded as strings separated by pipe ( | ) symbols. These are stored in NVRAM as variables named rrule0, rrule1, rrule2 etcetera. To see what's in the first rule, we can issue the following command at the FreshTomato shell prompt:

nvram get rrule0

The returned string might look something like this:

1|540|1140|62|||$|0|New Rule 1

Let's take a closer look at what each of these nine fields separated by a pipe ( | ) means:

Field 1: indicates whether the rule is currently enabled (1) or disabled (0).

Field 2: specifies the start time, or time to start applying this rule, in minutes elapsed since midnight. In this case, start time is 5:40 AM, so the router should enforce this rule starting at 9:00 AM.

Field 3: is the end time, or the time to stop applying this rule. This is coded the same way as the start time. Both the second and third fields will be -1 if you select the ‘All Day’ option in the Access Restrictions menu.

Field 4: specifies the days of week on which the rule will be applied. It is coded in binary: 1 for Sunday, 2 for Monday, 4 for Tuesday, and so on.

For multiple days, add the corresponding numbers for each day. In the above example the fourth field is 62 which is equal to 2+4+8+16+32 . This means the rule should be active on Mon, Tue, Wed, Thu, and Fri. In other words, only on week days. If you had checked the option Everyday this value would be 127.

Field 5: shows the IP or MAC Address range on your network for which the rule should be applied.

Field 6: has the Port/Application information coded in it. In other words, which ports numbers, protocols, Layer 7 and p2p applications should be blocked by this rule.

Field 7: contains the Domains/URLs to be blocked. It partially supports regular expressions. In the above example, domain names ending in are blocked.

Field 8: stores as a binary coded value if ActiveX, Flash or Java are to be blocked. 1 will block ActiveX, 2 will block Flash and 4 will block Java.

Field 9: stores the name that you gave to the above rule.

Now that we have a basic understanding about how Access Restriction rules work, we can write shell scripts to control the rules. Below is the script which will enable or disable a rule. Two values are passed on the command line – the rule number and either a “0” or “1” to disable or enable the service, respectively. If you have jffs enabled in the FreshTomato menus, you can copy the script under jffs directory and schedule it to run as a cron job, if you wish.


#Wait if any service is currently being restarted

nvstat=`nvram get action_service`
while [ "$nvstat" != "" ]; do

#Assume we are going to enable the rule

#Was a 1 or 0 passed on the command line?
[ "$2" != "" ] && enable=$2

#Get the current setting of the rule.
#Rule number is passed as the first parameter on the command line.
rr=`nvram get rrule$1`

#Set the first field to the value in variable $enable
rr=$(echo $rr|sed "s/^./$enable/")
echo $rr

#Replace the old rule with the new value
nvram set rrule$1="$rr"

#Prepare to restart the service by killing the init process
nvram set action_service=restrict-restart

#kill the init process
kill -USR1 1

#Wait for the service to restart
while [ "`nvram get action_service`" == "restrict-restart" ]; do


access_restrictions.txt · Last modified: 2021/09/13 16:39 by hogwild