On 2023-07-27, lain. <lain@fair.moe> wrote:
> I have a pretty nifty network setup that allows me to host from home via
> WireGuard.
> But there's one thing I'm struggling with.
> Because for security reasons, I made it impossible for people outside
> the network to connect via SSH, but for Git to function properly, I need
> to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that
> to my home network so they can do stuff like "git pull", "git push", and
> all the other fancy stuff.
>
> My pf.conf rules look like this:
>> pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22
>> pass in on $externalinterface proto tcp from any to $externalip port 22 rdr-to $internalip
>> block in quick on egress proto tcp from any to any port 22
if $externalinterface is the same as "egress" then I think the "block
quick" may override the "pass" without quick.
> And my sshd_config:
>> AllowUsers lain@192.168.0.0/24
>> AllowUsers git@(DOMAIN)
>> AllowUsers git@(PUBLIC IP)
>
> Where exactly am I doing wrong here?
The AllowUsers lines need the source addresses not the destination.
You might want something like "AllowUsers git@0.0.0.0/0".
--
Please keep replies on the mailing list.
No comments:
Post a Comment