FreshTomato Wiki

User Tools

Site Tools

Trace:
access_restrictions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
access_restrictions [2021/05/26 15:26] – created t3chwizardaccess_restrictions [2023/10/26 17:20] (current) – [Scripting Access Restrictions] -format hogwild
Line 1: Line 1:
-[[http://web.archive.org/web/20160321090715/http://infinilogix.com/wordpress/network-programming/routers/how-to-control-access-restriction-rules-in-tomato-by-a-shell-script|Old page with documentation (placeholder before putting information here)]]+====== Scripting Access Restrictions ====== 
 + 
 +Access Restriction rules are coded as strings separated by pipe ( | ) symbols. These are stored in NVRAM as variables named //rrule0//, //rrule1//, //rrule2// and so on. 
 + 
 + \\ 
 + 
 +To see what's in the first rule, we can issue the following command at a FreshTomato shell prompt: 
 + 
 + \\ 
 + 
 +<code -> 
 +nvram get rrule0 
 +</code> 
 + 
 +\\ 
 + 
 +The returned string might look something like this: 
 + 
 + \\ 
 + 
 +<code -> 
 +1|540|1140|62|||block-site.com$|0|New Rule 1 
 +</code> 
 + 
 +\\ 
 + 
 +Let's look more closely at what each of these fields separated by a pipe ( | ) symbol means. 
 + 
 +**Field 1:** indicates whether the rule is currently enabled (1) or disabled (0). 
 + 
 +**Field 2:** specifies the start time, (time to start applying this rule), in minutes elapsed since midnight. 
 + 
 +In this case, start time is 5:40 AM, so the router should enforce this rule starting at 9:00 AM. 
 + 
 +**Field 3:**  is the end time, (time to stop applying this rule). This is coded similarly to the start time. 
 + 
 +Both the second and third fields will be -1 if you select the //‘All Day’// option in the Access Restrictions menu. 
 + 
 +**Field 4:** specifies on which days the rule will be applied. 
 + 
 +It is coded in binary: 
 + 
 +  * 1 = Sunday 
 +  * 2 = Monday 
 +  * 4 = Tuesday 
 +  * 8 = Wednesday 
 +  * 16 = Thursday 
 +  * 32 = Friday 
 +  * 64 = Saturday 
 + 
 + \\ 
 + 
 +For multiple days, simply add together the corresponding numbers for each day. 
 + 
 +In the above example, the fourth field is 62, which is equal to 2 + 4 + 8 + 16 + 32 . This means the rule should be active on Mon, Tue, Wed, Thu, and Fri. That is, only on weekdays. If you had checked the //Everyday// option, the value would have been 127. 
 + 
 +**Field 5:** shows the IP or MAC Address range on your network for which the rule should be applied. 
 + 
 +**Field 6:** has the //Port/Application// information coded in it. In other words, which port numbers and protocols. This rule should block Layer 7 and p2p applications. 
 + 
 +**Field 7:**  contains the Domains/URLs to block. It partially supports regular expressions. 
 + 
 +In the example above, domain names ending with "block-site.com" are blocked. 
 + 
 +**Field 8:**  stores a binary coded value if ActiveX, Flash or Java are set to be blocked. 
 + 
 +  * A "1" will block ActiveX.  
 +  * A "2" will block Flash. 
 +  * A "4" will block Java. 
 + 
 + \\ 
 + 
 +**Field 9:**  stores the name that you gave to the rule being edited. 
 + 
 + \\ Now that we have a basic sense of how Access Restriction rules work, we can write shell scripts to control the rules. The script below will enable or disable a rule. Two values are passed on the command line – the rule number and either a "0" or "1" to disable or enable the service. 
 + 
 +\\ 
 + 
 +<code -> 
 +#!/bin/sh 
 + 
 +#Wait if any service is currently being restarted 
 + 
 +nvstat=`nvram get action_service` 
 +while [ "$nvstat" != "" ]; do 
 +echo 
 +done 
 + 
 +#Assume we are going to enable the rule 
 +enable=1 
 + 
 +#Was a 1 or 0 passed on the command line? 
 +[ "$2" != "" ] && enable=$2 
 + 
 +#Get the current setting of the rule. 
 +#Rule number is passed as the first parameter on the command line. 
 +rr=`nvram get rrule$1` 
 + 
 +#Set the first field to the value in variable $enable 
 +rr=$(echo $rr|sed "s/^./$enable/"
 +echo $rr 
 + 
 +#Replace the old rule with the new value 
 +nvram set rrule$1="$rr" 
 + 
 +#Prepare to restart the service by killing the init process 
 +nvram set action_service=restrict-restart 
 + 
 +#kill the init process 
 +kill -USR1 1 
 + 
 +#Wait for the service to restart 
 +while [ "`nvram get action_service`" == "restrict-restart" ]; do 
 +echo 
 +done 
 +</code> 
 + 
 +\\ 
 + 
 +If you have JFFS enabled in FreshTomato, you can copy the script under the jffs directory and schedule it to run as a cron job, if you wish. 
 + 
 + \\ 
 + 
 + \\ 
 + 
 + 
 +===== Credits ===== 
 + 
 +[[http://web.archive.org/web/20160321090715/http://infinilogix.com/wordpress/network-programming/routers/how-to-control-access-restriction-rules-in-tomato-by-a-shell-script|Credit: Justin from "infinilogix.com" - original page which is now only accessible via archive.org]] 
 + 
access_restrictions.1622039197.txt.gz · Last modified: 2021/05/26 15:26 by t3chwizard

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki