OK, I've installed APF firewall and now the correct iptables modules seem to have been installed for it. When I run apf --start, it's setting up iptables correctly... except for one thing.

iptables -L is telling me that the default policy for the INPUT, FORWARD and OUTPUT chains is 'ACCEPT'. Now, I'm no iptables expert, but that seems pretty useless for a firewall to me. Doesn't that mean that any port I don't explicitly ban will be allowed, ie. a blacklisting policy?

My ability to connect to port 2095 on my server, a port I hadn't put in the common ingress ports list in the APF config file, would seem to confirm this assumption.

I want a whitelist-based firewall. Is there a way to get APF to do this? Preferably not having to manually access iptables myself? (I thought the point of APF was to hide the complexity of iptables from you!)