While you can have rules like
allow tcp from fred.house.domain.edu to any 22 in
I'm not sure that you could use a * instead of the fred. You would probably have to iterate all possible values for *. The only way to find out is to try it.
Do you have the netmask for *.house.domain.edu, you could use that.
allow tcp from xxx.xxx.0.0/24 to any 22 in
Is there another way of approaching this, could you just only allow the various private address ranges in and exclude the rest. Assuming that the *.house.domain.edu are all private.