Tested on 10.13 High Sierra

See also: https://support.greenmini.nl/support/solutions/articles/4000170480-securing-your-mac-server-with-a-software-firewall

1. Open terminal and go to the root environment.

$ sudo su

2. Enter your password.

3. /etc/pf.conf contains the default pf rule set. Edit the pf.conf file or create a custom rule set. If you create a custom one be sure to copy the contents from the default file into it.

4. Add the following lines:

# The name of the network interface as shown in ifconfig

tcp_services = "{ssh}"
icmp_types = "{echoreq, unreach}"
trusted = "{,}"

# Exempt the loopback interface to prevent services that use if from being blocked
set skip on lo0

# This is a desktop so we have to be permissive in allowing outgoing  connections
pass out quick modulate state

# Block all incoming SSH Traffic by default 
  block in on $ext_if inet proto tcp from any to any port $tcp_services

# Allow SSH traffic from trusted IPs
pass in on $ext_if inet proto tcp from $trusted to any port $tcp_services

5. Edit the networkinterface and the IP addresses in the above lines.

6. Save the file and enable pf 

$ sudo pfctl -e -f /etc/pf.conf             #if using the default /etc/pf.conf
$ sudo pfctl -e -f /path/to/custom_pf.conf  #if using a custom pf.conf

Note: Remember that an OS update could erase these settings.