How about deny everything and have people enter their worker IPs when they setup workers. Then just open up the source IP for each worker.
+1 Simpel and effective
HEh... see my post above yours.... not simple if your ISP gives you dynamic IPs that change every few days.