# PF - add SSH



## KenGordon (Dec 27, 2021)

Well, I have implemented PF here to protect my FreeBSD box ( ver13+), but now our son wishes to be able to SSH into it from Texas.  What I would like to do is to implement SSH by user, if that is possible.

I have read the MAN page for PF and must admit to being MORE confused about how to do this than I was before I read it!!

My heavens! PF has so much capability, IMHO, one must be a PF guru to even use it!!

I had thought to use something like this:

`block all pass in proto tcp to port ssh`

But that doesn't look quite right to me.

So, might anyone have a suggestion for me on this matter?

Ken Gordon


----------



## Eric A. Borisch (Dec 27, 2021)

You can’t pass in (via PF) by user, but you can (in /etc/ssh/sshd_config) set the AllowUsers value to the desired user to allow (others will be blocked.) If he has a static IP address he’ll be coming from, you can even set it to user@host.

Other things things to consider would be to use a pre shared key and disable other authentication types; there are numerous guides out there for hardening SSH. 

As far as the pf rules, a blanket ‘block in on eth0’ (whatever your Internet facing adapter is) followed by ‘pass in on eth0 proto tcp to port ssh’ is a good start, but likewise you should check out any of the numerous guides to pf for what else you’ll want to add.


----------



## KenGordon (Dec 27, 2021)

Thank you. OK. I'll do some more reading then.

Ken Gordon


----------

