# Filtering on a user account



## Philippe (Jan 21, 2011)

Hello,

I'm work with FreeBSD 7.0

I'd like to have a rule of type encrypted access (port 22: SSH or SFTP) filtering on a user account.

In short: From IP1 able to 'ssh user1@IP2', but not being able to'ssh user2@IP2'

Is this possible?

thank you


----------



## SirDice (Jan 21, 2011)

Philippe said:
			
		

> In short: From IP1 able to 'ssh user1@IP2', but not being able to'ssh user2@IP2'
> 
> Is this possible?


Configure the SSH server to deny user2 access.


----------



## Philippe (Jan 21, 2011)

I prefer to filter on PF than on servers.

Is there a rule to do that on PF?


----------



## SirDice (Jan 21, 2011)

Philippe said:
			
		

> Is there a rule to do that on PF?


No, simply because a firewall cannot 'see' which username is used for the SSH session. 
A firewall works on layer 3/4, you want to filter at layer 7.


----------



## DutchDaemon (Jan 21, 2011)

PF can only filter users/groups on the firewall machine itself, and then it only applies to local sockets owned by a user/group. As SirDice noted, that is entirely different from allowing users to connect to a daemon behind a firewall. No one knows who the user is until after the connection has been made and the authentication starts ...


----------



## Philippe (Jan 21, 2011)

Thank you for your answer.

I understand why this is not possible.

Is there a plugin to do that?

A plugin to have PF layer 7 in fact...


----------



## DutchDaemon (Jan 21, 2011)

No.


----------



## Philippe (Jan 21, 2011)

OK.
Thank you for your reply.
Philippe


----------

