If you have one particular IP address that is either dropped or accepted through the firewall that you think should not be, then you can use the new WATCH_MODE in csf.
Before enabling this option and using the CLI command to watch an IP address, check whether it is explicitly listed first using:
csf --grep 11.22.33.44
Where 11.22.33.44 is the IP address you're tracking. If that comes back with no matches, follow the section in /etc/csf/readme.txt Watching IP addresses. You will have to have an understanding of how iptables rules traverse chains to use this facility so that you can understand which chain the ip address was allowed/dropped in.