On 2023-07-27, lain. <l...@fair.moe> wrote: > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: >> pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 >> pass in on $externalinterface proto tcp from any to $externalip port 22 >> rdr-to $internalip >> block in quick on egress proto tcp from any to any port 22
if $externalinterface is the same as "egress" then I think the "block quick" may override the "pass" without quick. > And my sshd_config: >> AllowUsers firstname.lastname@example.org/24 >> AllowUsers git@(DOMAIN) >> AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here? The AllowUsers lines need the source addresses not the destination. You might want something like "AllowUsers email@example.com/0". -- Please keep replies on the mailing list.