This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
We have found that IP addresses that you place in the csf.allow file are being overriden by SpamHaus and DShield banned IP addresses. We thought that the csf.allow would override anything in the csf.deny, SpamHaus, and DShield lists.
What is happening... is that with all the off-shore support stuff going on, that DShield/SpamHaus has some .PK IPs banned, yet one of our vendors use Pakistan for support and even with their IP in the csf.allow, they are blocked.
It shouldn't and if it is, then it's probably an iptables issue as the allow list comes before the block lists in the INPUT rule list. Check your iptables output that the allow IP's are coming before the block chain.