Configuring OS X Firewall to enable SSH/SCP only on the local subnet?

We would like to configure OS X to only allow Remote File Sharing (SCP) from a specific range of internal IP addresses. That way they only accessible when the user is connected via the VPN.

What's the preferred method? Doesn't seem to be doable via the Security & Privacy tab.