1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using Scheduler to turn on/off specific Access Restriction rule

Discussion in 'Tomato Firmware' started by Hanry155, Feb 25, 2018.

  1. Hanry155

    Hanry155 New Member Member

    I am trying to use the scheduler in Administration to turn on/off one of the Access Restriction rules thru a command. Is this possible?
    Where can I find a list of commands that are valid to enter?

    Ps. I can't use the schedule that is build into the rule itself because the way I have it setup is that the rule is already on a set daily schedule but there are times when I need to bypass the rule for a few hours. the easiest way I found is just turning it off. The problem is that sometime forget to turn the rule back on. The way I thought of is to just have the scheduler enable the rule every x hours.
  2. Sean B.

    Sean B. LI Guru Member

    Try using the commands:

    service restrict stop

    service restrict start
  3. Sortec

    Sortec Reformed Router Member

    but why bother using the scheduler at all as the access restriction rules already have their own scheduling built into the routing.
    You can set hours per day and days per week right through the access restriction rule.
  4. ruggerof

    ruggerof Network Guru Member

    You can always write the rule in the NVRAM to activate it and write to deactivate it.

    Example: I have a Canon Printer that I deny internet access completely whose name is "No-Canon Pixma"

    By doing

    nvram show | grep "No-Canon Pixma"
    I get the following result:

    rrule39=1|-1|-1|127|60:12:8B:37:AA:51|||0|No-Canon Pixma
    In order to deactivate it I should then do.

    nvram set rrule39="0|-1|-1|127|60:12:8B:37:AA:51|||0|No-Canon Pixma"
    And to activate it:

    nvram set rrule39="1|-1|-1|127|60:12:8B:37:AA:51|||0|No-Canon Pixma"
    Perhaps the command above must be followed by:

    service firewall restart
    in order to force it to activate, but I am not entirely sure.
  5. koitsu

    koitsu Network Guru Member

    Syntax of rruleXX NVRAM variables: http://www.linksysinfo.org/index.ph...-tomato-nd-1-28-5x-110-vpn.68723/#post-232641

    Description of how Access Restriction rules work ("how" they get triggered and at what interval), 6th paragraph: http://www.linksysinfo.org/index.php?threads/access-restriction-quick-question.70335/#post-249753

    Don't use service firewall restart. This does a lot more than what you think and is overkill (not to mention, I think this would sever some established NAT connections).

    What you want to run is rcheck --cron (two hyphens), or just rcheck if you're super lazy. This is a program that's part of TomatoUSB's rc (a.k.a. init on most other Linux distros). It examines several NVRAM variables, parses them if relevant, and issues the necessary iptables/ip6tables commands based on current time (these are firewall rules that take effect immediately). You can see the source code here:

    MIPS (Toastman-RT-AC) --

    ARM7 (Toastman-ARM7) --

    The --cron flag inhibits adding rcheck --cron to crontab (via cru) at 15 minute intervals (this is also based on some NVRAM conditionals, and the existence of rruleXX rules). It does everything else that rcheck (without the --cron flag) would do.

    rcheck has no other flags, and will not emit a usage syntax (read: there is no --help or -h; all it'll do in this case is operate just like you hadn't specified any flags at all). It won't emit any output to standard output either. Errors or informative messages are logged exclusively via syslog, so you will find them in Status -> Logs or /var/log/messages. Logging is partially based on what the checkbox value is under Administration -> Logging -> Events Logged -> Access Restriction.

    Hope this helps.
    Last edited: Feb 25, 2018
    AndreDVJ likes this.
  6. Hanry155

    Hanry155 New Member Member

    Thank you to ruggerof and koitsu !!
    I set it up using nvram set rrule39="1|-1|-1|127|60:12:8B:37:AA:51|||0|No-Canon Pixma"
    I am going to test for a few days but it looks to be working.
  7. Hanry155

    Hanry155 New Member Member

    Update: It's working!
    Just one thing to note - ruggerof was right, it does require a restart to firewall for it to work correctly.
    This is how I incorporated it into one command.
    nvram set rrule0="1|-1|-1|127|60:12:8B:37:AA:51|||0|No-Canon Pixma" && service firewall restart
  8. koitsu

    koitsu Network Guru Member

    Hmm, it should not require a firewall restart. Doing that will likely impact existing/flowing network traffic, which isn't good. If you're OK with that, then great.

    It's just that I even looked at the code (that doesn't restart the firewall to my knowledge, as there are dedicated tables in iptables for Access Restrictions). I will investigate further in spare time as I see fit and see if I can find an explanation. I would like to reproduce the problem though, so if you could provide me a screenshot of your Access Restriction rules (PM is fine if you're worried about giving out sensitive info), I would appreciate it. There may be certain kinds of Access Restriction rules that require a "deeper" restart of things. I don't like it when I understand something + give advice that should work and it doesn't. I like giving conclusive answers. :)
  9. Yim Sonny

    Yim Sonny Serious Server Member

    Just a curious question. Is the NVram method accomplishing anything that the native scheduler does not do ?
  10. ruggerof

    ruggerof Network Guru Member

    IMHO 99.9% of the cases, the standard and native schedule in the Access Restriction fits the needs.

    @Hanry155 had a specific need to deactivate / activate an Access Restriction rule every "X" hours so writing into the NVRAM ends up been more convenient than writing several Access Restriction rules.

    I also use the writing into the NVRAM method in one of my scripts where I grant /deny access to a set of hosts depending on a combination of other events. In my case the native and standard Access Restriction rules does not fit my (very specific) need.
  11. Yim Sonny

    Yim Sonny Serious Server Member

    Thanks for the clarification. I see that now in the OP. It must have been real late when I read his original post, or I was real drunk. If I could remember which it was I'd be happy to admit to it.

Share This Page