Okay so here is what I really need help with.
I want to block Outgoing packets to Russian and China with the exception of my torrents which I want to send through port 17000.

How would I implement this, as the "Invert" option does not appear for ports only for sources or destinations.

@jdeloach:

@ARAMP1:

Thanks.  It ended up being the "pfB_Top_v6 auto rule" on my LAN1.  I disabled it and now can access the website.  Now, to figure out what the rule did and what I did by disabling it.  :o

The web site, raspberrypi.org, appears to reside in the country of Great Britain per Whois.com.  Are you blocking the country, Great Britain?  If so, unblock it in the block list, if pfB_Top_v6  list includes this country.

United Kingdom is listed in Top 20 and Europe and I have them both unblocked.  :(

For it to address the CNAME issue you will need to remember to whitelist sites via the reporting UI, and using that won’t be any different to you listing them yourself as both the server and servers they refer to will end up in the whitelist.  So don’t feel a need to wipe & redeploy.

When I click on the infoblock I see :

Note: These entries are only Whitelisted when Feeds are downloaded or on a 'Force Reload'.

::)

Thanks. I guess I was being thick :)

John

Actually I am having difficulties with the cron settings, very similar to this person (drewsaur):
https://forum.pfsense.org/index.php?topic=129048.0
unfortunately it was decided he did not have a bug and ignored :(

I get the same error, only ever updates at 1:30.  Played around with it a bit, and it seems the only field that takes is the minute field "pfb_min" it ignores the rest.  The cron settings solution you indicated is a good idea, but seems unlikely to work because of the above error.  Unlike drewsaur, having it only update at 1:30 am was not really a problem for me.  Rather then try and fix a messed up cron thing, I figured it would be easier just to add a new job for what I wanted.

. . .

I dug through the pfblockerng_update.php to find the command, it it looks like its not command line at all per say, but sending a call to pfblockerng.php, which in turn calls sync_package_pfblockerng.  Not familiar with bsd or package manager so will continue down the rabbit hole when I have time.

edit:
sync_package_pfblockerng is not a package manager call at all I guess, it is defined in pfblockerng.inc, which is executing .php to do the update.  A neat way to do it.

edit:
answering my original question:

commands for pfblocker can be executed with:
/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php [put your option here]
ex: /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update

the options for [put your option here] are defined in the /usr/local/www/pfblockerng/pfblockerng.php file in a switch statement.  None of them achieve the objective of my original question.

My personal solution was to add a new option by editing pfblockerng.php & pfblockerng.inc.  This is a grade A hack job, but if anyone is interested inquire and I will post the details.

For me, the Alerts tab in pfBlockerNG showed that 1.1.1.1 was blocked because it was on the Abuse_Zeus list.  I had to add this IP to the Supress List by clicking on the "+" symbol in that row of the Alerts table.  Then I had to disable and re-enable pfBlockerNG to get 1.1.1.1 to be unblocked.

BTW, after making changes to pfBlockerNG.inc:

head -10 pfb_dnsbl.conf

local-data: "004b17a0c349157de.com 60 IN A 0.0.0.0"
local-data: "006a039c957c142bb.com 60 IN A 0.0.0.0"
local-data: "007-gateway.com 60 IN A 0.0.0.0"
local-data: "0073dd485d46d930dd9.com 60 IN A 0.0.0.0"
local-data: "00aaa2d81c1d174.com 60 IN A 0.0.0.0"
local-data: "00e20f955428d.com 60 IN A 0.0.0.0"
local-data: "00zasdf.pw 60 IN A 0.0.0.0"
local-data: "012469af389a1d1246d.com 60 IN A 0.0.0.0"
local-data: "0194c6fcbb3.com 60 IN A 0.0.0.0"
local-data: "019f2d2d415.review 60 IN A 0.0.0.0"

The problem is not so much what unbound can handle, that seems to be limited by RAM, the list updates from pfBlocker can be done seamlessly.

The problem you’ll have is that if you have DHCP allocating names to IPs then every time you do so it restarts unbound which reloads everything and that takes time with a big list.  My system (N3150, 8gb + SSD) starts getting grumpy after ~600,000 domains but it’s just reload time.

I looked at looking at how DHCP sets up the names to use the seamless method that pfB does, though it may be possible to double up on DNS servers somehow with a clever config.

@BBcan177:

How the pfBlockerNG Tracker ID number is created :
Each Firewall rule for pfBlockerNG is assigned a unique Tracker Number.
This Number can be used in a Remote syslog so that Events can be tracked by this unique Tracker Number.

Tracker Number function is here:

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L2036

Basically it takes the Alias Name, various Interface Information and converts this to a unique tracker number…

All pfBlockerNG Tracker Numbers start with "177"

Just had a quick look around the GUI, I think its possible but not in a one click manner.

So pfblockerng filters via DNSBL and IP based BL.

The latter is done solely via the firewall so modifying the firewall for that LAN ip to bypass should be possible although you may need to adjust an option in pfblockerng related to rule ordering so custom rules are processed before pfblockerng rules.

The former is done via DNS manipulation, and that will direct blacklisted domain names to a local webserver on the firewall, so to bypass that you need to basically send back different DNS query results to the LAN ip.  This is possible via an exotic unbound configuration (similar to view statements in BIND).

@DaReaLDeviL:

So here we go, all my settings are now like you greatly suggested but:

I'm looking in the wrong menu? I don't have the "ip4 source definition" like you?!

He is using development version of pfBlockerNG.

IP6?  Or it’s querying a different domain for ads…

I’d consider putting a trace on the port 53 traffic from that host to see what it’s looking for and where.

Finally I disable the TLD, It consumes a lot of ram 8GB was quickly saturated
thank you

You may need to think about this in the opposite way. Instead of blocking, think about what countries you want to allow. You then create "alias" lists in pfBlockerNG which can be used to create your own firewall rules. 
Depending which country list is shorter (allowed or blocked), I would start there, and remember you can always set "Invert Match" to accomplish what you want.

I just clicked the link and got this: