in general yes. But in practice I would let my hands off. It is a question of ordering the firewall rules.
Simple thing is to make your advanced rule the first rule.
You can say: -I INPUT 1 -p udp --dport 1194 -s xxx.xxx.xxx.xxx/24 -j ACCEPT
or 2 or 3. So your advanced rule is the first, second or 3rd rule within your IPTABLES. Nothing to do with fail2ban.
However the problem is that next hit of your fail2ban rules put the f2b-chain to the first place again.
This can only be avoided by changing the /fail2ban/action.d/*-files e.g. iptables-multiport.local
To set this action e.g. to position 7:
[Definition]
actionstart = -N f2b-
-A f2b- -j
-I 7 -p -m multiport --dports -j f2b-
…And this is the point where I would let my hands off…
Because free-pbx has (for me) to many f2b-rules, which I really don’t understand at the whole.
So I tried -I INPUT 1
-I INPUT 1 -p udp --dport 1194 -s xxx.xxx.xxx.xxx/24 -j ACCEPT
This still inserts the traffic AFTER fail2ban.
Then I tried -I INPUT 2
-I INPUT 2 -p udp --dport 1194 -s xxx.xxx.xxx.xxx/24 -j ACCEPT
Now this inserts traffic BEFORE fail2ban
This works but now I want to dive in a little deeper and understand why this works.
By chance does the INPUT 1, and INPUT 2 numbers correspond to zones?