Problem statement:
Fail2ban with Firewalld on openSUSE Leap 15.0 allow the brute force attack to continue for unlimited time.

What needs to happen (ok in openSUSE Leap 42.x):
Fail2ban detects 5 invalid Apache login attempts, bans the IP, connection to Apache server drops off and the server becomes unavailable.

What happens (openSUSE Leap 15.0):
Fail2ban detects 5 invalid Apache login attempts, bans the IP, connection to Apache server continues undisturbed. Only the new connections from the same IP find the server unavailable.

Q1: Why(how) did it work in Leap 42.x?
Q2: How to implement the same function in Leap 15?

Comments:
The reason for Q1 as stated is that I did some research and found out it probably wasn't supposed to work like that at all, at least not OOB. Fail2ban sends the IP ban info to the FW but there is no actual "reset" of the active connections from the respective IP. So, the current connections will continue, just the new connections are being dropped.
I did nothing special for it to work on 42.x, installed and configured Apache, installed Fail2ban and configured jails, everything from official repos, worked as expected for years.

Now, after many unrelated issues with upgrading, I went for Leap 15 clean install, on the same exact HW, basically used the same configuration files for both Apache and Fail2ban, respectively, only to run into this behavior. The obvious difference is Firewalld but I can't say it is to blame.

Clearly, the answer to Q2 is more important - I am currently studying ModSecurity with Apache but it might take a while. I feel like I'm missing something since it worked as needed OOB on 42.x and it should not be as complicated.