The fwupd application is an intrusion prevention system that dynamic updates the packet filter rules (iptables) based on indications of an ongoing attack from information found in the system logs.
Each monitored service (i.e. SSH) get its own chain hooked into the INPUT and OUTPUT chain. When an intrusion is detected, the IP-address of the attacking computer gets added to that service blacklist and iptables chain, thus preventing further attacks from that IP-address.
Each monitored service has an associated whitelist and blacklist. Computers on the whitelist are always allowed to connect to the monitored service, while computers on the blacklist are nuked.
Always trusted computers are defined in the global configuration /etc/fwupd.conf. Connections from these hosts are always accepted and no service access control is ever performed.