This is an old revision of the document!
The default settings make Tomato's administration ports (SSH and HTTP/S) reachable from all VLANs/WLANs configured on the router.
If you don't want to communication to be available on a certain interface, you can filter out access to those ports by using the following script in the Administration/Scripts/Firewall page:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
Your bridge number will reflect the interface on which you which to disable the above protocols.
If you're using non-standard port numbers, You can change the ports used above (22,80,443). You can also add additional lines changing br1 if you have multiple bridges/guest VLAN
Be careful not to lock yourself out of having access. It's not a good idea to filter on bridge br0.
This will take effect as soon as the firewall script is called next. You can force this manually with either a service firewall restart or rebooting the device.