ddos blocked client on ignore list

[darren12345]

My DNS server stopped responding to a single client on the network, and it took me ages to discover that ddos deflate had blocked it:

[2022-01-08 15:31:26] banned 192.168.10.237 with 150 connections for ban period 86400

Even though my entire local network is on the ignore list:

root@serverb3:/etc/ddos# cat ignore.ip.list
127.0.0.1
192.168.10.0/24
86.188.180.66

root@serverb3:/etc/ddos# cat ddos.conf
# Paths of the script and other files
PROGDIR="/usr/local/ddos"
SBINDIR="/usr/local/sbin"
PROG="$PROGDIR/ddos.sh"
IGNORE_IP_LIST="ignore.ip.list"
IGNORE_HOST_LIST="ignore.host.list"
CRON="/etc/cron.d/ddos"
# Make sure your APF version is atleast 0.96
APF="/usr/sbin/apf"
CSF="/usr/sbin/csf"
IPT="/sbin/iptables"

# frequency in minutes for running the script as a cron job
# Caution: Every time this setting is changed, run the script with --cron
#          option so that the new frequency takes effect
FREQ=1

# frequency in seconds when running as a daemon
DAEMON_FREQ=5

# How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

# The firewall to use for blocking/unblocking, valid values are:
# auto, apf, csf and iptables
FIREWALL="auto"

# An email is sent to the following address when an IP is banned.
# Blank would suppress sending of mails
EMAIL_TO="root"

# Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=86400

# Connection states to block. See: man netstat
CONN_STATES="ESTABLISHED|SYN_SENT|SYN_RECV|FIN_WAIT1|FIN_WAIT2|TIME_WAIT|CLOSE_WAIT|LAST_ACK|CLOSING"

root@serverb3:/etc/ddos# ddos -V
DDoS-Deflate version 0.8
Copyright (C) 2005, Zaf <zaf@vsnl.com>