Here is a PF configuration that passes everything except inbound SSH from systems other than 192.168.1.2, applying general rules first then applying more specific rules, as the
last matching rule wins.
Code:
# this is the address of the admin's workstation:
admin = "192.168.1.2"
# default pass:
pass log all
# block inbound ssh:
block log proto tcp from any to self port ssh
# pass inbound ssh from $admin:
pass log proto tcp from $admin to self port ssh
If you want to add queuing, you can either queue by priority or bandwidth. Queuing will only be applied when there is contention for resources. See the QUEUEING section of the pf.conf(5) man page for examples. (Yes, it's spelled that way).