Short version: you can presently restrict which hosts can connect to the main jetty port, but there doesn't appear to be a way to restrict which hosts can connect to the AJP port.

In the opennms.properties file, you can restrict who can access the regular jetty port (default 8980). For example, if you set "org.opennms.netmgt.jetty.host" to be "127.0.0.1", then only local users can connect to the main jetty port.

In addition, you can turn on AJP support by setting "org.opennms.netmgt.jetty.ajp-port" to a value (default 8981). However, there does not appear to be a way to restrict who can connect to that particular port. It would be very good if either the "jetty.host" setting also applied to the AJP port, or perhaps there could be a separate config variable, with a name like "jetty.ajp-host".

From a quick glance at the source code, it appears it wouldn't be too difficult to add this functionality, once you make a decision as to what the variable should be called. But I don't have a great deal of knowledge about either opennms or Java, so I could be missing something.