I won’t go into detail on how to set up an ssh server. I am assuming that you know how to do that.
As for the firewall, there is a script from @unman that does all the heavy lifting for you!
Download it, make sure that unman does not plant a reverse shell in your dom0 by reading it, copy it into your dom0 by
qvm-run -p <qube-that-has-the-script> "cat <location-of-script>" | cat > openport
make it executable
chmod +x openport
and open the port
./openport add <target-qubes> tcp 22
This is volatile! Meaning, you have to run it every restart of your dom0, or create an autostart functionality.