I have used fwkop <http://www.cipherdyne.org/fwknop/> with great success before. You block SSH connection by default and let fwknop open up the port after a successful authentication.