There is currently a JIRA open:
[FREEPBX-22682] Firewall vrtsopm 184.108.40.206 and after foesd not process Advanced Custom Rules properly - Sangoma Issue Tracker
that is addressing a known issue with 15.0.13 and higher.
In that ticket, we are discussing the fact that fail2ban supersedes custom rules whenever the former is restarted. I don’t know how this used to work in the past (fail2ban wasn’t working for a while anyway). Did custom rules stay above fail2ban in the INPUT chain of iptables? Does it make a difference to those of you using custom rules? Keep in mind that as long as a packet doesn’t reach the underlying service, fail2ban won’t be triggered since it doesn’t end up in the logs.
I’m asking because I’m writing a patch, and I don’t think it’s possible to put rules above fail2ban and have them stay there, since Fail2Ban will always INSERT it’s rules into INPUT. especially in Fail2Ban >0.8