Tested on 10.13 High Sierra
1. Open terminal and go to the root environment.
$ sudo su
2. Enter your password.
3. /etc/pf.conf contains the default pf rule set. Edit the pf.conf file or create a custom rule set. If you create a custom one be sure to copy the contents from the default file into it.
4. Add the following lines:
# The name of the network interface as shown in ifconfig
ext_if="en0"
tcp_services = "{ssh}"
icmp_types = "{echoreq, unreach}"
trusted = "{192.168.1.32, 192.168.1.33}"
# Exempt the loopback interface to prevent services that use if from being blocked
set skip on lo0
# This is a desktop so we have to be permissive in allowing outgoing connections
pass out quick modulate state
# Block all incoming SSH Traffic by default
block in on $ext_if inet proto tcp from any to any port $tcp_services
# Allow SSH traffic from trusted IPs
pass in on $ext_if inet proto tcp from $trusted to any port $tcp_services5. Edit the networkinterface and the IP addresses in the above lines.
6. Save the file and enable pf
$ sudo pfctl -e -f /etc/pf.conf #if using the default /etc/pf.conf
$ sudo pfctl -e -f /path/to/custom_pf.conf #if using a custom pf.confNote: Remember that an OS update could erase these settings.