I've allowed an IP of a client who often generates pop3 login failures due to there being many users at a single location.
If they do something that would result in them getting blocked, such as repeat pop3 login failures, lfd still picks this behaviour up and sends me an email as would be received when an IP gets blocked.
It doesn't really matter since the IP doesn't get blocked, however I think this still counts as a problem for two reasons:
1) It's a bug as the alert email specifically states that the IP was blocked when it wasn't
2) It's inefficient. Since an email alert is generated, I assume lfd is still taking into consideration log file lines that contain an allowed IP. Should lfd not ignore log file lines if an allowed IP is present? Or would doing so end up needing further resources (by having to check each log file line against a list of allowed IPs)?
It's not really much of a concern at all but thought I'd bring it up in case it hasn't be spotted before.
lfd alerts sent for allowed IPs
In those cases you should really add the IP address to /etc/csf/csf.ignore as well so that lfd ignores them.
The reasoning is that csf.allow and csf.deny are used to generate the iptables chains. In contrast, csf.ignore (and all the other ignore files) are used by lfd to determine whether to block/alert based on the ignore file contents.
The reasoning is that csf.allow and csf.deny are used to generate the iptables chains. In contrast, csf.ignore (and all the other ignore files) are used by lfd to determine whether to block/alert based on the ignore file contents.