OK, so I have this tested and working on my system. The pull request is here:
Pull Request #92: FREEPBX-22170 - Prevent false positives in RFW - FreePBX GIT
Essentially, what I did was add a 90 second bypass to the responsive firewall for the first time we see a packet from an IP address. While this functionality was supposed to be there previously, the existing code would not remove successful registrations from the whitelist, and therefore the second time the whitelist would need to be used it wasn’t available and would cause a false block.
I also fixed the issue that registrations hitting the RFW were not always appearing in the UI, by marking the packets earlier in the chain so that they show up as soon as they hit the RFW, not after they fail it first.
What is still unsolved is that fail2ban is working alongside the RFW, and the rules in fail2ban precede RFW. Because of this, a misconfigured devices will cause FAIL2BAN, not RFW, to DOS an entire site. While I can understand the security involved, the likelihood of a sleep deprived sysadmin mistyping credentials is so much more likely than an inside job attack, that I would like to see fail2ban either disabled once RFW is enabled, or that the ruleset should be further down in the IPTABLES chains so that packets allowed through RFW should not be blocked by fail2ban.
Awaiting community feedback if these changes are smart or not.