Restrict Remote SSH Login to IP
I would like to restrict SSH on my OS X 10.10 Mac to a particular IP or a subnet.
I have been messing around with pf.conf and turning the firewall on and off in system preferences to restart it to test.
I have been able to open particular ports like 2222 and 8080 to all with rules like :
# Open port 8080 for TCP on all interfaces
pass in proto tcp from any to any port 8080
# Open port 2222 for TCP on all interfaces
pass in proto tcp from any to any port 2222
But to selectively allow SSH from a specific IP with :
# Open port 22 from 123.456.789.10 for TCP on all interfaces
pass in proto tcp from 123.456.789.10 to any port 22
doesn't work.
It seems in order for SSH to answer at all, under Sharing in system preferences, remote login has to be enabled,
and to successfully login, remote login must be enabled for the user or group logging in.
When this is the case, my rule,
# Open port 22 from 123.456.789.10 for TCP on all interfaces
pass in proto tcp from 123.456.789.10 to any port 22
is not effective, I can SSH as the user specified from any host.
I can see by running
sudo dscl . -read /Groups/com.apple.access_ssh/
while adding and removing users to Sharing / remote login
that somehow SSH is plugged into the Directory server group management.
Is there any way to restrict SSH to an IP or IP range (or to a user AND IP/IP range)?
Thanks,
SG
iMac, OS X Yosemite (10.10), sshd, pf