I understand what you’re saying and follow you, but my issue is now the linkage in function and priority.
Goal:
- port 5060 blocked to the world up above the fpbxfirewall chains; not necessarily before fail2ban.
- only allow port 5060 to trusted/whitelisted IP Addresses up front
- only have one command line command to add the IP to the whitelist table.
- all other firewalling continue to be processed as per FPBX out-of-the-box configurations.
I am thinking of disabling Responsive Firewall as I understand it to be if a registration is successful, then its gets placed into a ‘known good’ zone; which I dont want. The reason being is if an actor has the correct credentials, then that network goes freely. I also dont want to log into the GUI every time and update the allow/deny per extension as this violates the single command line rule 
If I add a new site or a remote user’s home IP changed, I want to be able to run the single fwconsole firewall trust x.x.x.x command and everything keeps chugging along.
If I dont have the custom firewall rule in place, nothing out of the box is blocking port 5060 from the world if not in trusted-zone which is why I did what I did… thinking that was the solution
I am also new to FPBX and still wrapping my head around the build and the ins-and-outs of the configurations. I am not new to asterisk or centos