I have the remote login feature enabled on one of my Minis so I can manage it from another Mini on my LAN - but I don’t need to be able to remote login from the Internet.
Looking for a recommendation for firewall software (easy to use is a bonus) where I can basically tell my Mini “if a remote login request is coming from a 10.x.x.x address, allow it, otherwise deny it”.
It doesn’t seem that Apple’s built-in firewall is anything close to what I need. Any recommendations?
No need for a firewall, although you could use that for extra security.
Just don’t forward the port on your router and you’ll be fine.
Maybe take a look at Little Snitch? I haven’t used it but people I know who have really seem to like it.
I’ve heard some spooky-ish stuff a decade or so ago about people being able to bypass that sort of thing. I’m sure that would probably require somebody to hack the router, but between the security on the router and security on the Mac, I trust the Mac more. 
I love little snitch. You can set it to deny or approve different options. Although I’m not sure how this would exactly work. I’m sure that it could do it though.
I much prefer using a router for this purpose. I like Little Snitch and it may work for you, but I use it primarily to stop unwanted outbound connections for badly behaved websites
It’s all up to you of course.
I had written a pretty long response, telling that the Linux on your router is probably better suited than some third-party app on your Mac. But that felt a bit useless. If you only trust Apple on these matters, it’s - like I said - all up to you. But do know that 99,9999999% of the internet is not running on Apple software when it comes to security.
Just my $0.02.
That’s a good point.
For what you’re doing it might be easiest to do it in terminal via the BSD based packet filter. You would first write a rule to deny then permit the service/subnet you want.
I was going to suggest that, but then I looked up the process that people are having to go through to make the rules persistent between reboots and updates, and backed away very slowly 
Yep. I didn’t seen anything about reboots when I looked, but definitely an issue with upgrades. Will look into this more. Now I’m curious…
I’m not 100% certain on the reboot issue: I skimmed an article or three, paired what I was reading with “… easy to use is a bonus…” and decided that pf for macOS probably wasn’t it
Now I’m curious too…
I suggest adding a Firewalla Blue to your network. I’ve had the Blue running for over six months. Very useful info and network controls.
This company went and put a pretty decent wrapper on a bunch of open source and free services; good for them. But, If you go and pay for this device thinking it’s going to solve this use case you’re going to be extremely disappointed. It won’t…
Well, it’s a bonus, not a requirement. 
PF isn’t off the table as an option here.
I agree that Linux, as an OS, is probably suited as well or better than an app on my Mac. The question though is one of whether the people who built the router have designed the system well or not - and the answer to that, all too commonly, seems to be “no”. And of course there’s all the smart-home stuff that lives behind routers and could potentially create a problem of its own, if I ever decide to go down that route.
Basically, for me this isn’t an issue of Apple vs. non-Apple - this is an issue of “security on the machine itself” vs. “trusting a random third-party device to solve the problem for me”.
And they’re complementary in my view, not either/or.
Good point. Let’s not forget that OS X is based on BSD. A large percentage of internet infrastructure is (some moving towards Linux) based on BSD. You still have a great deal of control to harden OS X in the terminal. Still think this is the best bet for this use case.
At this point I think I’m going to start playing with PF. Is that the route you’re thinking you’d go as well?
Yes. Simply because it’s free and you can create two rules that solve your problem. @ACautionaryTale was right. Some of the settings aren’t retained after reboot. Found a good reference here.
“ Additionally, you must re-enable PF ( pfctl -E ) each time your Mac reboots; ideally, you should create a launchd job for this (see Pfctl launch daemon does not seem to process program arguments).”
May or may not suit your needs. Since this doesn’t seem overly critical (assumption on my part) I’d just as soon go the free route if I learn something in the process. 
I can definitely do the launchd thing. Since I’m already going full command line on this problem I’ll probably also add a quick monitor script that checks it every 10 minutes and launches it if there’s an issue.
Sometimes with this fiddly stuff I like the convenience of a third-party app that just handles things. As an unrelated example, I’ve done FFMPEG code for some audio/video conversions, but there are definitely times where I appreciate software like Handbrake with its drag & drop interfaces with nice menus.
I know I’m probably an edge case, but I just had a huge insurance survey as part of a disclosures process where they were asking me thirty billion questions about my security setup - so it’s got me in a more-elevated-than-normal security mindset.