csf: how to override TCP_IN?

I'm using csf v14.05 on my Debian-8-based server.

In csf.conf, I have the following:

TCP_IN = "53,80,110,119,143,443,465,587,953,993,995"

I want to selectively override this in csf.deny, only for certain specific host/port combinations, as in the following example:

tcp|in|d=143|s=aaa.bbb.ccc.ddd # actual IP address dummied out

However, requests coming from aaa.bbb.ccc.ddd to port 443 are still being allowed.

I know that csf.allow rules override all other rules, and therefore, it appears that TCP_IN within csf.conf also behaves the same way.

Is there any way in csf to allow open access to a given port except for certain, selected IP addresses, like I am trying to do here?

Thank you very much.


This is a source of common confusion ...

TCP_IN allows all the ports listed, regardless of csf.allow (except the csf.allow rule is a deny rule)

So, if you really wanted to selectively allow access to a port, you would exclude it from TCP_IN of csf.conf ... and then have it in csf.allow