diff --git a/ssh_filter_btrbk.sh b/ssh_filter_btrbk.sh
new file mode 100644
index 0000000..f71ad9c
--- /dev/null
+++ b/ssh_filter_btrbk.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+export PATH=
+
+if [ "$1" = "-l" ]; then
+    enable_log=1
+fi
+
+reject_and_die()
+{
+    if [ -n "$enable_log" ]; then
+        /usr/bin/logger -p auth.err -t ssh_filter_btrbk.sh "$LOGNAME $SSH_CLIENT REJECT: $SSH_ORIGINAL_COMMAND"
+    fi
+    /bin/echo "ssh command rejected" 1>&2;
+    exit 1;
+}
+
+run_cmd()
+{
+    if [ -n "$enable_log" ]; then
+        /usr/bin/logger -p auth.info -t ssh_filter_btrbk.sh "$LOGNAME $SSH_CLIENT ALLOW: $SSH_ORIGINAL_COMMAND"
+    fi
+    $SSH_ORIGINAL_COMMAND
+}
+
+case "$SSH_ORIGINAL_COMMAND" in
+    *\$*) reject_and_die ;;
+    *\&*) reject_and_die ;;
+    *\(*) reject_and_die ;;
+    *\{*) reject_and_die ;;
+    *\;*) reject_and_die ;;
+    *\<*) reject_and_die ;;
+    *\>*) reject_and_die ;;
+    *\`*) reject_and_die ;;
+    *\|*) reject_and_die ;;
+    /sbin/btrfs\ subvolume\ show\ *)      run_cmd ;;   # mandatory
+    /sbin/btrfs\ subvolume\ list\ *)      run_cmd ;;   # mandatory
+    /sbin/btrfs\ subvolume\ snapshot\ *)  run_cmd ;;   # mandatory if this host is backup source
+    /sbin/btrfs\ send\ *)                 run_cmd ;;   # mandatory if this host is backup source
+    /sbin/btrfs\ receive\ *)              run_cmd ;;   # mandatory if this host is backup target
+    /sbin/btrfs\ subvolume\ delete\ *)    run_cmd ;;   # mandatory if scheduling is active
+    /sbin/btrfs\ subvolume\ find-new\ *)  run_cmd ;;   # needed for "btrbk diff"
+    /sbin/btrfs\ filesystem\ show\ *)     run_cmd ;;   # needed for "btrbk info"
+    /sbin/btrfs\ filesystem\ df\ *)       run_cmd ;;   # needed for "btrbk info"
+    /sbin/btrfs\ filesystem\ usage\ *)    run_cmd ;;   # needed for "btrbk info"
+    *) reject_and_die ;;
+esac