This cannot be done by the firewall. SSH is a opaque encrypted tunnel.

You have to handle this outside the tunnel part. ie. at the client or
server end.
Preferably at the server end, where there is more trust.

But how do you give shell without the capability to transfer a file? You can't,
unless you remove the file transfer parts of the server and create a restricted
shell for the user.

$ tar -cf - dir-of-files | ssh servername "tar -xf -"
$ ssh servername "cat > file.txt" < file.txt

On 6/26/06, Odaniel, Jim (Mission Systems) wrote:
> Hi,
> I have a unique ssh/sftp requirement. I have two networks
> separated by a firewall. I would like to allow anyone on my "internal"
> network to ssh to my "external" network but I would like to control who
> is allowed to sftp/scp files from my internal network to my external
> network. How can I do this? Is there a way to do this if my firewall
> doesn't support controlling such an activity? Will setting up some kind
> of internal proxy/port forwarding server do the trick?
> The version that I am using is:
> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
> HP-UX Secure Shell - A.04.00.000
> Thanks for your help!
> Jim O'Daniel
> Unix Systems Administrator Northrop Grumman

And, did Guloka think the Ulus were too ugly to save?