On 2023-07-27, lain. <l...@fair.moe> wrote:
> I have a pretty nifty network setup that allows me to host from home via
> WireGuard.
> But there's one thing I'm struggling with.
> Because for security reasons, I made it impossible for people outside
> the network to connect via SSH, but for Git to function properly, I need
> to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that
> to my home network so they can do stuff like "git pull", "git push", and
> all the other fancy stuff.
> My pf.conf rules look like this:
>> pass in quick on wg0 proto tcp from to any port 22
>> pass in on $externalinterface proto tcp from any to $externalip port 22 
>> rdr-to $internalip
>> block in quick on egress proto tcp from any to any port 22

if $externalinterface is the same as "egress" then I think the "block
quick" may override the "pass" without quick.

> And my sshd_config:
>> AllowUsers lain@
>> AllowUsers git@(DOMAIN)
>> AllowUsers git@(PUBLIC IP)
> Where exactly am I doing wrong here?

The AllowUsers lines need the source addresses not the destination.
You might want something like "AllowUsers git@".

Please keep replies on the mailing list.

Reply via email to