PF - add SSH

K

KenGordon

Well, I have implemented PF here to protect my FreeBSD box ( ver13+), but now our son wishes to be able to SSH into it from Texas. What I would like to do is to implement SSH by user, if that is possible.

I have read the MAN page for PF and must admit to being MORE confused about how to do this than I was before I read it!!

My heavens! PF has so much capability, IMHO, one must be a PF guru to even use it!!

I had thought to use something like this:

block all pass in proto tcp to port ssh

But that doesn't look quite right to me.

So, might anyone have a suggestion for me on this matter?

Ken Gordon
 
You can’t pass in (via PF) by user, but you can (in /etc/ssh/sshd_config) set the AllowUsers value to the desired user to allow (others will be blocked.) If he has a static IP address he’ll be coming from, you can even set it to user@host.

Other things things to consider would be to use a pre shared key and disable other authentication types; there are numerous guides out there for hardening SSH.

As far as the pf rules, a blanket ‘block in on eth0’ (whatever your Internet facing adapter is) followed by ‘pass in on eth0 proto tcp to port ssh’ is a good start, but likewise you should check out any of the numerous guides to pf for what else you’ll want to add.
 
You must log in or register to reply here.
Back
Top