@iyad:

Please i got this message and i can't find the issue

===[  IPv4 Process  ]=================================================

[ forbid ] Downloading update  .. completed ..
  Empty file, Adding '1.1.1.1' to avoid download failure.

[ Badsites_custom ] Downloading update [ 05/14/18 12:52:00 ]connect: No route to host
connect: No route to host
connect: No route to host

. completed ..
[ pfB_Badsites Badsites_custom ] Custom List Error ]

In the IPv4/6 tab, click on the blue infoblock icons and you will see the correct format for adding URLs. It looks like the pfSense box can't connect to the URL you entered:

Local file:    http(s)://127.0.0.1/filename  or  /var/db/pfblockerng/filename

For the customlist, you need to enter one IP per line (also click on blue infoblock icon for details)

In pfblockerNG General tab, disable pfBlockerNG and uncheck Keep Settings, save, this will clear all downloaded lists.

Then remove package pfBlockerNG.

Last add package pfBlockerNG, this should gave you a blank pfBlockerNG configuration.

Ok thanks. I got that to work.

But I guess I was looking for a way to bypass the firewall rules as well as DNSBL (i.e. I wanted a subnet on my LAN which would behave as though pfblockerng was not installed).

I found this post:

https://forum.pfsense.org/index.php?topic=119031.0

which seems to suggest that the only way around DNSBL is to push an entirely separate DNS entry for the hosts that will bypass DNSBL. The problem with this though is that these hosts will not be able to take advantage of DNS over TLS as implemented in pfsense.

Is there any other way to bypass DNSBL?

Thanks. That was it obviously

As pointed out to me in another post.
https://forum.pfsense.org/index.php?topic=139634.0

I had missed that but am now a supporter. Thanks.

Okay so here is what I really need help with.
I want to block Outgoing packets to Russian and China with the exception of my torrents which I want to send through port 17000.

How would I implement this, as the "Invert" option does not appear for ports only for sources or destinations.

@jdeloach:

@ARAMP1:

Thanks.  It ended up being the "pfB_Top_v6 auto rule" on my LAN1.  I disabled it and now can access the website.  Now, to figure out what the rule did and what I did by disabling it.  :o

The web site, raspberrypi.org, appears to reside in the country of Great Britain per Whois.com.  Are you blocking the country, Great Britain?  If so, unblock it in the block list, if pfB_Top_v6  list includes this country.

United Kingdom is listed in Top 20 and Europe and I have them both unblocked.  :(

For it to address the CNAME issue you will need to remember to whitelist sites via the reporting UI, and using that won’t be any different to you listing them yourself as both the server and servers they refer to will end up in the whitelist.  So don’t feel a need to wipe & redeploy.

When I click on the infoblock I see :

Note: These entries are only Whitelisted when Feeds are downloaded or on a 'Force Reload'.

::)

Thanks. I guess I was being thick :)

John

Actually I am having difficulties with the cron settings, very similar to this person (drewsaur):
https://forum.pfsense.org/index.php?topic=129048.0
unfortunately it was decided he did not have a bug and ignored :(

I get the same error, only ever updates at 1:30.  Played around with it a bit, and it seems the only field that takes is the minute field "pfb_min" it ignores the rest.  The cron settings solution you indicated is a good idea, but seems unlikely to work because of the above error.  Unlike drewsaur, having it only update at 1:30 am was not really a problem for me.  Rather then try and fix a messed up cron thing, I figured it would be easier just to add a new job for what I wanted.

. . .

I dug through the pfblockerng_update.php to find the command, it it looks like its not command line at all per say, but sending a call to pfblockerng.php, which in turn calls sync_package_pfblockerng.  Not familiar with bsd or package manager so will continue down the rabbit hole when I have time.

edit:
sync_package_pfblockerng is not a package manager call at all I guess, it is defined in pfblockerng.inc, which is executing .php to do the update.  A neat way to do it.

edit:
answering my original question:

commands for pfblocker can be executed with:
/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php [put your option here]
ex: /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update

the options for [put your option here] are defined in the /usr/local/www/pfblockerng/pfblockerng.php file in a switch statement.  None of them achieve the objective of my original question.

My personal solution was to add a new option by editing pfblockerng.php & pfblockerng.inc.  This is a grade A hack job, but if anyone is interested inquire and I will post the details.

For me, the Alerts tab in pfBlockerNG showed that 1.1.1.1 was blocked because it was on the Abuse_Zeus list.  I had to add this IP to the Supress List by clicking on the "+" symbol in that row of the Alerts table.  Then I had to disable and re-enable pfBlockerNG to get 1.1.1.1 to be unblocked.

BTW, after making changes to pfBlockerNG.inc:

head -10 pfb_dnsbl.conf

local-data: "004b17a0c349157de.com 60 IN A 0.0.0.0"
local-data: "006a039c957c142bb.com 60 IN A 0.0.0.0"
local-data: "007-gateway.com 60 IN A 0.0.0.0"
local-data: "0073dd485d46d930dd9.com 60 IN A 0.0.0.0"
local-data: "00aaa2d81c1d174.com 60 IN A 0.0.0.0"
local-data: "00e20f955428d.com 60 IN A 0.0.0.0"
local-data: "00zasdf.pw 60 IN A 0.0.0.0"
local-data: "012469af389a1d1246d.com 60 IN A 0.0.0.0"
local-data: "0194c6fcbb3.com 60 IN A 0.0.0.0"
local-data: "019f2d2d415.review 60 IN A 0.0.0.0"

The problem is not so much what unbound can handle, that seems to be limited by RAM, the list updates from pfBlocker can be done seamlessly.

The problem you’ll have is that if you have DHCP allocating names to IPs then every time you do so it restarts unbound which reloads everything and that takes time with a big list.  My system (N3150, 8gb + SSD) starts getting grumpy after ~600,000 domains but it’s just reload time.

I looked at looking at how DHCP sets up the names to use the seamless method that pfB does, though it may be possible to double up on DNS servers somehow with a clever config.