By definition, a server only listening for incoming requests on a determined port (8080 by default for JBoss)! So all request coming on this port will be treated.
What you have to do is configure your FW so that it intercepts all requests coming on this port (8080). So, you "just" need to configure the filtering-logic you want in your FW...
You can even use e.g. SSL communication from proxy to server. Use a certificate for your client (proxy) which is needed for the so configured bean access.
Depending on your needs, the simple solution might be to write a servlet filter and define it in web.xml in the tomcat deployment (tomcatXX.sar/web.xml. A filter defined here will be be in the chain for every incoming request. That filter could just issue a 401 if the remote address is not that of the local box.
Too bad Tomcat doesn't have ACL config directives like Apache. That would be another easy way to solve this.