OPNsense Forum

Hi everyone,

We've been working on a new plugin for OPNsense and are now at the stage where we'd love some community feedback. The plugin is developed in cooperation with Deciso, and we're looking for users who are willing to test it on their own setups.

We are Q-Feeds, a provider of Threat Intelligence. We focus on delivering high-quality, real-time data about malware IPs, malicious domains, and phishing URLs, making it easier to block threats before they reach your network. Our goal is to make threat intelligence accessible to everyone by offering native integrations with firewalls, SIEMs, and other security platforms. Obviously we can't miss OPNsense on our list of supported platforms!

If you're interested in trying it out and sharing your experience, please let us know here in the thread or via DM. We will provide you with the installation details (one prebuilt command). Your feedback will really help us improve before a wider release in the plugins repository.

Thanks in advance for your support!

Best regards,

Stefan Sprenkels
Founder Q-Feeds

Interested!

Network engineer for almost 4 decades. Don't actually believe in IDS/IPS so if you have any novel approach compared to e.g. Zenarmor, I'd be even twice as interested.

Ditched Crowdsec, because while the approach is very appealing their free tier is not really useful and there is no offer for home use, i.e. in the range of 100 €/$ per year.

Kind regards,
Patrick

Wow, that was fast thanks for jumping in so quickly! Q-Feeds takes a different approach than IDS/IPS – we focus on blocking threats at the firewall level using real-time intel (malware IPs, domains, phishing URLs), so no heavy inspection overhead. Although for this testing period only IP based blocking will be available.

Totally agree with you on pricing, we want to keep things fair and also accessible for home use. You can find a bit more info here: https://qfeeds.com/opnsense . We provide a free community edition but also a plus and premium package including access to our Threat Intelligence Portal for IOC lookups f.e.

I'll DM you the install details so you can give it a spin. Looking forward to your feedback!

Hi Stefan,

Definately interested to provide a testbed with my setup.
I have tried Suricata as well as Crowdsec. Crowdsec appealed to me most, but indeed kinda limited in terms of affordability.
Since i am running a few public NTP servers i would especially be interested if Q-Feeds also caters for NTP  threats.
Kindly provide me the details.

Thanks!

Quote from: Kets_One on October 01, 2025, 09:30:24 PMHi Stefan,

Definately interested to provide a testbed with my setup.
I have tried Suricata as well as Crowdsec. Crowdsec appealed to me most, but indeed kinda limited in terms of affordability.
since i am running a few public NTP servers i would especially be interested if Q-Feeds caters to NTP  threats.
Kindly provide me the details.

Thanks!

Hi Kets_One,

Thank you so much! Would love to hear your feedback. I'll send you the details in a DM.

Best regards,

Stefan

Stefan,
     Would be interested in testing as well.

Thanks
zz00mm

Quote from: zz00mm on October 01, 2025, 10:48:55 PMStefan,
    Would be interested in testing as well.

Thanks
zz00mm

Thank you, in your inbox!

Hello,

I want to test it too.

Disclaimer: I work for Deciso. I wanne go through a new (community scoped home user) customer experience to see how it works like.

Quote from: Monviech (Cedrik) on October 02, 2025, 09:15:09 AMHello,

I want to test it too.

Disclaimer: I work for Deciso. I wanne go through a new (community scoped home user) customer experience to see how it works like.

Thank you Cedrik, see PM. We look forward to hearing your feedback!

I installed the plugin, signed up to the website, got the API key, put it into the plugin, checked the ALIAS contents and it was populated.

I didn't run into any weird issues, so works for me. Overall very smooth.

Hi there,

interested too. Not running any service for the ouside world but I just want to give it a spin and see. Used Zenarmour (free version) in the past.

Quote from: Mo'Kai on October 02, 2025, 10:34:43 AMHi there,

interested too. Not running any service for the ouside world but I just want to give it a spin and see. Used Zenarmour (free version) in the past.

Much appreciated, Mo'Kai. I've just sent you the installation instructions.

Hi Stefan,

I'm also interested in testing out Q-Feeds.
I have a homelab with some public services and till now I'm using crowdsec and some public IP blocklists.

Thanks Rene

Hi,

I'm also interested in testing out Q-Feeds.

Steffen

Quote from: SteffenDE on October 02, 2025, 12:34:35 PMHi,

I'm also interested in testing out Q-Feeds.

Steffen

Please find the instructions in your PM. Feel free to share your initial findings here with us.

Quote from: mrpink on October 02, 2025, 12:00:27 PMHi Stefan,

I'm also interested in testing out Q-Feeds.
I have a homelab with some public services and till now I'm using crowdsec and some public IP blocklists.

Thanks Rene

Thank you Rene. I've sent the instructions to you via PM. Please let us know your thoughts.

Is there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.

Quote from: Monviech (Cedrik) on October 02, 2025, 01:09:02 PMIs there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.

Indeed, at the moment this can only be done via a separate alias and firewall rule that matches before the Q-Feeds block rule. Of course, we do everything we can to prevent false positives. If you do encounter one, you can report it via support in the TIP.

And thank you for your input – this is a very good feature request, and we'll definitely add it to the roadmap!

A few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?

Quote from: Kets_One on October 02, 2025, 01:27:43 PMA few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?

Thank you for sharing your findings, much appreciated.
Hereby our answers:

- The logs can only be found in the OPNsense firewall logging when you enable logging for the Q-Feeds block rule. No information is uploaded from OPNsense to the TIP, so you won't see these block actions appear there.
What you can do with a paid subscription is look up IP addresses in the TIP to get more detailed information (context) why a specific IP is included in our database.

- The widget already gives you insights into the number of blocked IPs/URLs directly within OPNsense. Currently, there is no alert functionality (such as email or SNMP notifications). That said, this is excellent input — we'll take it with us for future development.

- The threat IPs/URLs are indeed downloaded locally to OPNsense (not checked live against our database).
•⁠  ⁠Q-Feeds community (Free): updated every 7 days
•⁠  ⁠Q-Feeds Plus (starting at €99 per year per firewall/IP): updated every 4 hours
•⁠  ⁠Q-Feeds Premium (starting at €249 per year per firewall/IP): updated every 20 minutes

More information about our premium packages can be found here: http://qfeeds.com/opnsense (http://qfeeds.com/opnsense)

installed and activated. No issues so far

Hi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will

Quote from: Mo'Kai on October 02, 2025, 05:41:10 PMinstalled and activated. No issues so far

Thank you for confirming!

Quote from: willj8823 on October 02, 2025, 06:12:32 PMHi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will

Thank you, I've sent you the instructions.

Widget Not Functioning After Plugin Installation | Quick Fix

We've received feedback that the widget is not functioning well after installing the plugin.
After some investigation, we found that this happens because the configd service needs to be restarted.

You can fix this by either:

• Performing a full reboot, or
• Running the following command from command line:

 

service configd restart

Does this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.

I am interested in trying it out and sharing my experience.

Quote from: IsaacFL on October 02, 2025, 09:28:48 PMDoes this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.

Yes, we do support IPv6. However, the lifecycle of malicious IPv6 addresses tends to be relatively short. Because of this, the number of IPv6 IoCs we provide is more limited compared to IPv4. Let me know if you would like to test the Q-Feeds plugin/product.

Quote from: gtwop on October 02, 2025, 09:53:12 PMI am interested in trying it out and sharing my experience.

Thank you, Information is in your pm.

I would also be interested, when you need more testers.
Best regards,
   Marcus

Quote from: mzurhorst on October 03, 2025, 08:37:10 AMI would also be interested, when you need more testers.
Best regards,
  Marcus

The more input, the better!
We're especially interested to hear from all of you about:

• The user flow
• The widget (how it behaves and feels in practice)
• The results you're seeing
• And of course, the Q-Feeds TIP
  

Your feedback is incredibly valuable and will help us improve the overall experience.

Can you add me to your testers list as well.

Thanks

Quote from: Enigm69 on October 03, 2025, 10:15:22 AMCan you add me to your testers list as well.

Thanks

Done, looking forward to hearing your findings!

It would be nice to see the update date of the alias list, then you could also see if the list doesn't update for whatever reason.

Or at the services view should some more info's like the web dashboard.

Otherwise it works for now and setup is easy and unproblematic.

Followed installation guide, each step functioned properly.

Upon completion the Firewall/Aliases was populated under Name: __qfeeds_malware_ip.

System/Firmware/Status shows a warning: "Resolve plugin conflicts" with two drop downs.

(1) "View and edit local conflicts" under Name: os-q-feeds-connector (misconfigured),
Repository: unknown-repository.

(2) "Reset all local conflicts" after choosing: ***GOT REQUEST TO RESYNC***
Currently running OPNsense 25.7.4 (amd64) at Fri Oct  3 07:35:54 EDT 2025
Registering plugin: os-q-feeds-connector
***DONE***

But the warning remains, also ran an audit system came up normal no errors.

Other than that the plugin works well.

That warning is normal until the plugin is available in the opnsense repository.

I'd be interested in trying the Q-Feeds plugin as well, if there's still room.

Not doing much publicly but to protect my home LAN and some small services.

Thanks!

Hi Stefan,
Also interested in testing your product, currently I use ZA (home version).
Regards,
Craig

I'm interested as well, currently using ZA myself

Regards,
-Brian

Thanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

Quote from: Q-Feeds on October 04, 2025, 04:06:15 PMThanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

So far it's been easy to setup, having a checkbox in settings to auto add rules might be nice moving forward but not super difficult to add a couple floating rules either. I also did end up getting a few errors and I only see a single alias/feed in the rules to select but I show three lists in the GUI for the plugin:

Quotedownloaded index to /var/db/qfeeds-tables/index.json
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-04T11:47:47Z]
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Quote from: Lurick on October 04, 2025, 05:48:01 PM

Quote from: Q-Feeds on October 04, 2025, 04:06:15 PMThanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

So far it's been easy to setup, having a checkbox in settings to auto add rules might be nice moving forward but not super difficult to add a couple floating rules either. I also did end up getting a few errors and I only see a single alias/feed in the rules to select but I show three lists in the GUI for the plugin:

Quotedownloaded index to /var/db/qfeeds-tables/index.json
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-04T11:47:47Z]
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Hi Brian,

Thank you for your feedback. I think that's a great idea for our roadmap, we've added it right away. The domains and URLs are still to be implemented within the plugin but indeed they do already show up within the available feeds table. The DNS and URL feeds is the next big feature to be fully supported on our roadmap, we do expect this soon. We already do have possibilities to implement this using pi-hole or adguard f.e. if you're interested I can share the instructions for this workaround for now.

The errors you're seeing are actually expected. It means the plugin skipped the download of the new feed due to the rate limit related to the license. Community users are eligible for an update every 7 days, Plus users every 4 hours and Premium users every 20 minutes. If an update is triggered twice within those timeframes the plugin will show these 'errors'. Here's an overview of the available licenses: https://qfeeds.com/opnsense/

Best regards,

Stefan

I'm interested in trying it . Does it use the logs in any form for how it works ?

Quote from: dan786 on October 04, 2025, 11:43:52 PMI'm interested in trying it . Does it use the logs in any form for how it works ?

Thank you very much that you're willing to test it, already looking forward to your feedback. It will use aliases so you can define the firewall rules and link the alias with the firewall rule to block it based on our intelligence. I'll send you the instructions via a PM.

My context is a home user who still runs their own mail server as a residue from my business server before I retired. Could be called "knows some stuff, definitely not a network engineer". Currently I run free Crowdsec to not much effect.

Looking at your web page I see that your first window describes the mid-tier as adding "Commercial IP data" but in the table further down the page the "Paid" row excludes IP as well as the DNS and URL. Is Paid = Commercial, just inconsistent naming? If so, is that an error, if not then what are the definitions please?

Otherwise the differences are IoC lookup and update time. Given that sooner or later everything is an IP address, URL, what is actually meant by separating "Commercial" from "OSINT" and "Services"?

I have also read the manual and would like to try it, if you have room for another tester. Initially I would install it on an internal Opnsense where it would check what goes out from the protected component of our network, and if all goes well then try it for both directions on the edge, adding the other two subnets (IoT & DMZ) progressively.

Thanks a lot for spotting that, you're absolutely right! That's a mistake on our side. The "Plus" tier should indeed include Commercial IP data. We've corrected it, and really appreciate you catching that! https://qfeeds.com/opnsense/ (https://qfeeds.com/opnsense/)


OSINT (Open Source Intelligence) data comes from open sources like communities, news etc. Commercial (or paid) data comes from vetted, paid intelligence providers. We notice these feeds usually detect threats faster and with better accuracy and quality. Think about APT groups etc.  Services refers to the services around the TI and extra functionality that come with our Threat Intelligence Platform (TIP), like enrichment, faster updates, and extended IoC lookups.

We'd be happy to have you as a tester! Your setup sounds perfect for evaluating. I'll follow up with the details so you can get started.

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.
4. The Feeds list on the plugin shows three lists but the TIP console shows 4 feeds for the free tier and 8 for the top paid tier. It might be good to make this more clear in some way. Maybe even just a tooltip that says if the three shown lists in the plugin encompass all available feeds for the API token.

For the QFeeds site:
1. On the main qfeeds webpage have a more direct link to the TIP console and other products as well, there doesn't appear to be a direct way from qfeeds.com to access the TIP console or other pages
2. Attack surface page on TIP console, might be good to have account manager email or contact methods auto populated for easier communication between end user and the qfeeds teams.
3. Opnsense banner on the TIP dashboard seems to cover some messages that pop-up and the X in dark mode was near invisible with the current banner color. Additionally, every time I navigate to a new page it shows back up after being dismissed.
4. Dark mode version definitely needs improvement. Right now text is very hard to read in a lot of cases.
5. API Keys shows "Allowed IPs" as "any" but no way to change this. I assume limiting where API calls can come from is coming at some point but just wanted to ask mostly if that's the case.
6. Company Information lists other companies for "Parent Company", not sure if this is a good idea to have companies listed here but just wanted to call this out.
7. Is there an android app coming at some point? I see the app page under Settings but it just mentions iPhone so I wasn't sure.
8. Company Information seems a bit difficult to get to since it's buried in "Manage API Keys" from the main Dashboard and that's a different page from User's API Keys page. I definitely feel as though a Company Information/Settings area at the top next to OR within "Settings" menu would be much better.
9. Company Information seems to require a "Role" but that's empty for me and as such I cannot save any changes on that page.
10. I have a link under Manage Company that it supposed to take me to "https://tip.qfeeds.com/views/admin/companies.php" but when I click "Back to Companies" it takes me to the dashboard. I feel as though this definitely should be cleaned up and the "https://tip.qfeeds.com/views/dashboard/index.php?error=Access%20denied" should be displayed as a message as well or something to handle this better for users within a company.

Hi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Quote from: Lurick on October 05, 2025, 01:10:44 PMFeedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.

.............

Amazing Lurick! Thank you so much for this valuable feedback, really appreciate the time and detail you've put into it! We absolutely love it. It was quite a list, but we managed to address most of it right away! Here's our response:

For the plugin:

• There's a link to our website (which links to the TIP) under the help section. Since this is a bit hidden, we totally understand your feedback. We'll improve this in the next iteration.
• User hits are visible via the widget on the OPNsense dashboard. We're not planning to collect any user data to show in the TIP. The number of IOCs is also visible on the OPNsense dashboard widget. I agree it would be great to have such stats on the plugins main page as well. We'll add this to the roadmap.
• You're absolutely right! At the moment, the OPNsense plugin only supports IP lists, but we'll be adding Domains and URLs soon. Stay tuned ;)
• Thanks a lot! This was indeed a bug in the console, it's fixed now!

For the Q-Feeds site:

• We're currently not planning to include all TIP functionality directly on the website, but we agree it should be more accessible. Thanks for the suggestion, we'll discuss it internaly.
• Loved that feedback we've added a link to our contact page in the warning right away!
• That pop-up was super annoying indeed! It's fixed and much easier to read now.
• We've fixed this in many places already, but please let us know if you spot any more examples :)
• The limited allowed IPs are tied to paid subscriptions, since part of the license model depends on the number of firewalls (IPs). This is already functional but only editable by resellers or administrators. The field remains visible to end-users so they can distinguish between multiple keys.
• This was a fun one, thanks for catching it! Just to explain: the portal is designed for distributors, MSPs, and resellers as well. That field is meant for assigning end-users to resellers or resellers to distributors when applicable. Regular end-users and community users shouldn't see it anymore.
• We've updated the description. It's actually a Progressive Web App (PWA), so it's Android-ready too!
• Great catch, fixed it!
• Nice find! This issue was similar to observation 6. Thanks again for reporting it!
• Cleaned up and organized, everything now lives under 'Settings'.

Quote from: _tribal_ on October 05, 2025, 05:34:42 PMHi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you! Send you a PM with the instructions.

Quote from: dmurphy on October 05, 2025, 08:04:33 PMThank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Luckily you were able to sort it out but we'll update it in the guide anyway :), thanks for pointing it out!
Regarding the 'auto add rules button': On the roadmap :)

While V6 is not necessarily cleaner, cybercriminals are able to rotate IP addresses quicker. That said they're quite short-lived in our lists. And can agree with more, the more blocked the better !

"Dang is it hostile out there." --- dmurphy
Unfortunately it is...

Installation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Quote from: Patrick M. Hausen on October 05, 2025, 09:26:16 PMInstallation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Hi Patrick,

Thank you very much for your feedback!
Your suggestion regarding the aliases is a great idea and we'll discuss this internally.

As for the payment, I've sent you a PM to look into it further.

Looks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Quote from: Patrick M. Hausen on October 05, 2025, 09:47:37 PMLooks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Hi Patrick,

Thanks for checking, it seems the Apple Pay checkout didn't process correctly indeed. We've temporarily disabled Apple Pay while we look into this issue.

Regarding your question: the OPNsense Basic License was the former name of the Community Version. Together with OPNsense/Deciso, we decided to make this version freely available for the community, so the Basic Package is no longer available for purchase.

Thanks again for your feedback and for pointing this out and we would like to invite to try our check-out flow again :).

Hi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

I am as well for several years running ZA, and this looks to me like a potential contender/replacement. There are two hurdles with ZA currently;
- no Multicore support for Home licenses, which significantly impact network performance
- data collection/privacy

Several questions occurred to me when reading this topic;

Quotewe focus on blocking threats at the firewall level using real-time intel (malware IPs, domains, phishing URLs), so no heavy inspection overhead.

1. Thus this means you are not using netmap, but keeping it simple by locally updating/loading lists of blocking IPs populated into FW rules?
2. Are you at all collecting any data or telemetry from customers or installations of this plugin?
3. What specific OSINTs you use? I hope its not just some random scrape from internet
4. Which vetted Commercial providers do you use for the Paid sub?
5. This product looks similar to Spamhaus, Greensnow & others, what is the actual benefit from your point compared to these?

Regards,
S.

Quote from: llama6668 on Today at 06:21:13 AMHi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi llama6668,

Thank you very much for your feedback! We've added it to our improvement list!

Quote from: Seimus on Today at 10:19:45 AMHi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

............

Hi Seimus,

Thank you for your interest and the great questions! Good news upfront; you're not too late to the party, I'll send you the instructions in a minute.

Here are the answers:

• This is exactly what we're doing, we're just using the native packet filter (pf) to block based on the aliases
• No we don't collect any personal data regarding connections, blocks etc. The only thing we 'collect' or better say monitor are the API-request for pulling the latest Threat Intelligence. All the data we collect is also visible in our TIP. To provide an overview we collect: Date and time of when the API call has been made to pull in the TI, IP addresses (licenses are bound per firewall), and the client header to see which platform is being used (in this case OPNsense off coarse).
• We don't just scrape data from the internet. Our threat intelligence is built from over 2,500+ different sources, combining commercial, public, and proprietary intelligence. This includes commercial and paid feeds such as URL, botnet, malware, IP, and intrusion databases, alongside public OSINT from social media, dark web, and phishing data. In addition, we enrich our intelligence as well with proprietary sources from our own honeypots, network activity, logs, and scans.
  
  What really sets Q-Feeds apart is how we connect the dots between these different pieces of intelligence, creating a more comprehensive and contextual threat picture. To ensure high data quality, we only use verified and trustworthy sources. We validate all data against RFC internet technical standards, false positives and so on. We remove duplicates, and apply relevance filtering to keep the most accurate and actionable intelligence.
  
  This layered approach ensures our feeds are reliable, validated, and meaningful, not just random data from the web.
• It's a combination of the leading cybersecurity vendors in the world. We're not able to provide you the details because of agreements we've made with them.
• I could tell you a great story that we're the absolute best compared with them, but better is to advice you to take it to the test ;-) We believe in the world of cybersecurity every solution is complementary to each other.

Kind regards,

David

Hello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Quote from: Seimus on Today at 12:01:31 PMHello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Even better, in some cases we see a drop in the firewall load since we're blocking all the crap :) I'm glad you're as enthusiastic as we are, looking forward to your feedback! I've send you a PM with the instructions ;)

Stefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Quote from: passeri on Today at 12:16:59 PMStefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Hi Passeri,

Licensing is per firewall indeed, we check it based on IP. This is not applicable for the community version, that's an all you can eat recipe with no restrictions besides the refresh rate. That said for every firewall you need a new API token in order to be able to pull the data.

Kind regards,

David