Executing Commands at Boot

There are three primary options for executing custom commands at boot time: shellcmd, earlyshellcmd, and shell scripts.

The shellcmd package can manage the shellcmd and earlyshellcmd tags in the GUI, so config.xml values need not be edited by hand.

At boot time the firewall executes the earlyshellcmd entries first and the shellcmd entries much later in the boot process. Shell scripts are executed at the very end of the boot process when initializing packages.

The shellcmd and earlyshellcmd options are preferable as they are contained within in the configuration file. As such they do not typically require additional modifications should the storage medium be replaced and reinstalled, or if the configuration is restored to a different piece of hardware.

shellcmd option

The hidden config.xml option <shellcmd> makes the firewall run a command towards the end of the boot process.

To add a shellcmd to a configuration, either use the shellcmd package or edit config.xml by hand (XML Configuration File).

To edit the config.xml:

  • Back it up via Diagnostics > Backup/restore

  • Open the XML backup file in a text editor that properly handles UNIX line endings.

  • Add a new line above the </system> line such as the following:

    <shellcmd>mycommand -a -b -c 123</shellcmd>

    Where mycommand -a -b -c 123 is the command to run.

  • Save the changes to the configuration

  • Restore the modified configuration

Multiple lines may be added to execute multiple commands.

earlyshellcmd option

The hidden config.xml option <earlyshellcmd> makes the firewall run a command at the beginning of the boot process.


In most cases <shellcmd> is more appropriate, though this may be necessary in some circumstances.

The process to add an <earlyshellcmd> tag is the same as <shellcmd>. Either use the shellcmd package or edit it in by hand.

This should result in a tag such as the following in the configuration:

<earlyshellcmd>mycommand -a -b -c 123</earlyshellcmd>

Multiple <earlyshellcmd> lines can be present to execute multiple commands.

Shell script option

Any shell script can be placed in the /usr/local/etc/rc.d/ directory.

The filename must end in .sh and it must be marked as executable (chmod +x myscript.sh).

The firewall will execute every shell script ending in .sh in this directory at boot time and also during certain system events (e.g. interface link changes, IP address changes, and gateway events).