Site Tools


access_restrictions

This is an old revision of the document!


Access Restrictions

Access Restriction rules are coded as pipe (|) separated strings and stored in nvram variables named rrule0, rrule1, rrule2 etc. To see what is in the first rule, we can issue the following command at the FreshTomato shell prompt:

nvram get rrule0


The returned string might look something like:

1|540|1140|62|||block-site.com$|0|New Rule 1


Let's take a closer look at what each of these nine fields separated by a pipe (|) means.

The first field shows whether the rule is currently enabled (1) or (0) disabled.

The second field gives the start time, or the time to start applying this rule, in minutes elapsed since midnight. In the above example, start time is 540, so the router should enforce this rule starting at 9:00 AM.

The third field is the end time, i.e. the time to stop applying this rule, again coded the same way as the start time. Both the second and third fields will be -1 if you select the option ‘All Day’ in the control panel.

The fourth field is the days of week on which the rule should be applied and is coded in binary – 1 for Sunday, 2 for Monday, 4 for Tuesday and so on. For multiple days, add the corresponding numbers for each day. In the above example the fourth field is 62 which is equal to 2+4+8+16+32 – meaning the rule should be active on Mon, Tue, Wed, Thu, and Fri i.e. only on week days. If you had checked the option Everyday this value would be 127.

The fifth field shows the ip or mac address range in your network for which the rule should be applied – in case you don’t want all the computers on the network to be affected by this rule. The sixth field has the Port/Application information coded in it i.e. which ports numbers, protocols, layer 7 and p2p applications should be blocked by this rule.

The seventh field contains the domains or URLs you want to block and it partially supports regular expressions. In the above example, domain names ending in block-site.com are blocked. The eighth field stores as a binary coded value if ActiveX, Flash or Java need to be blocked – 1 for ActiveX, 2 for Flash and 4 for Java. And finally the ninth field stores the name that you gave to this rule.

Now with this basic understanding about how the Access Restriction rules in FreshTomato work, we can write shell scripts to control the rules. Below is the script I wrote to enable or disable a rule. Two values are passed on the command line – the rule number and either a 0 or a 1 to disable or enable the service respectively. If you have jffs enabled in control panel you can copy the script under jffs directory and schedule it to run, if you want, as a cron job.

#!/bin/sh

#Wait if any service is currently being restarted

nvstat=`nvram get action_service`
while [ "$nvstat" != "" ]; do
echo
done

#Assume we are going to enable the rule
enable=1

#Was a 1 or 0 passed on the command line?
[ "$2" != "" ] && enable=$2

#Get the current setting of the rule.
#Rule number is passed as the first parameter on the command line.
rr=`nvram get rrule$1`

#Set the first field to the value in variable $enable
rr=$(echo $rr|sed "s/^./$enable/")
echo $rr

#Replace the old rule with the new value
nvram set rrule$1="$rr"

#Prepare to restart the service by killing the init process
nvram set action_service=restrict-restart

#kill the init process
kill -USR1 1

#Wait for the service to restart
while [ "`nvram get action_service`" == "restrict-restart" ]; do
echo
done

Credits

access_restrictions.1622398487.txt.gz · Last modified: 2021/05/30 19:14 by hogwild