OPNsense Forum

Hi everyone,

We've been working on a new plugin for OPNsense and are now at the stage where we'd love some community feedback. The plugin is developed in cooperation with Deciso, and we're looking for users who are willing to test it on their own setups.

We are Q-Feeds, a provider of Threat Intelligence. We focus on delivering high-quality, real-time data about malware IPs, malicious domains, and phishing URLs, making it easier to block threats before they reach your network. Our goal is to make threat intelligence accessible to everyone by offering native integrations with firewalls, SIEMs, and other security platforms. Obviously we can't miss OPNsense on our list of supported platforms!

If you're interested in trying it out and sharing your experience, please let us know here in the thread or via DM. We will provide you with the installation details (one prebuilt command). Your feedback will really help us improve before a wider release in the plugins repository.

Thanks in advance for your support!

Best regards,

Stefan Sprenkels
Founder Q-Feeds

Interested!

Network engineer for almost 4 decades. Don't actually believe in IDS/IPS so if you have any novel approach compared to e.g. Zenarmor, I'd be even twice as interested.

Ditched Crowdsec, because while the approach is very appealing their free tier is not really useful and there is no offer for home use, i.e. in the range of 100 €/$ per year.

Kind regards,
Patrick

Wow, that was fast thanks for jumping in so quickly! Q-Feeds takes a different approach than IDS/IPS – we focus on blocking threats at the firewall level using real-time intel (malware IPs, domains, phishing URLs), so no heavy inspection overhead. Although for this testing period only IP based blocking will be available.

Totally agree with you on pricing, we want to keep things fair and also accessible for home use. You can find a bit more info here: https://qfeeds.com/opnsense . We provide a free community edition but also a plus and premium package including access to our Threat Intelligence Portal for IOC lookups f.e.

I'll DM you the install details so you can give it a spin. Looking forward to your feedback!

Hi Stefan,

Definately interested to provide a testbed with my setup.
I have tried Suricata as well as Crowdsec. Crowdsec appealed to me most, but indeed kinda limited in terms of affordability.
Since i am running a few public NTP servers i would especially be interested if Q-Feeds also caters for NTP  threats.
Kindly provide me the details.

Thanks!

Quote from: Kets_One on October 01, 2025, 09:30:24 PMHi Stefan,

Definately interested to provide a testbed with my setup.
I have tried Suricata as well as Crowdsec. Crowdsec appealed to me most, but indeed kinda limited in terms of affordability.
since i am running a few public NTP servers i would especially be interested if Q-Feeds caters to NTP  threats.
Kindly provide me the details.

Thanks!

Hi Kets_One,

Thank you so much! Would love to hear your feedback. I'll send you the details in a DM.

Best regards,

Stefan

Stefan,
     Would be interested in testing as well.

Thanks
zz00mm

Quote from: zz00mm on October 01, 2025, 10:48:55 PMStefan,
    Would be interested in testing as well.

Thanks
zz00mm

Thank you, in your inbox!

Hello,

I want to test it too.

Disclaimer: I work for Deciso. I wanne go through a new (community scoped home user) customer experience to see how it works like.

Quote from: Monviech (Cedrik) on October 02, 2025, 09:15:09 AMHello,

I want to test it too.

Disclaimer: I work for Deciso. I wanne go through a new (community scoped home user) customer experience to see how it works like.

Thank you Cedrik, see PM. We look forward to hearing your feedback!

I installed the plugin, signed up to the website, got the API key, put it into the plugin, checked the ALIAS contents and it was populated.

I didn't run into any weird issues, so works for me. Overall very smooth.

Hi there,

interested too. Not running any service for the ouside world but I just want to give it a spin and see. Used Zenarmour (free version) in the past.

Quote from: Mo'Kai on October 02, 2025, 10:34:43 AMHi there,

interested too. Not running any service for the ouside world but I just want to give it a spin and see. Used Zenarmour (free version) in the past.

Much appreciated, Mo'Kai. I've just sent you the installation instructions.

Hi Stefan,

I'm also interested in testing out Q-Feeds.
I have a homelab with some public services and till now I'm using crowdsec and some public IP blocklists.

Thanks Rene

Hi,

I'm also interested in testing out Q-Feeds.

Steffen

Quote from: SteffenDE on October 02, 2025, 12:34:35 PMHi,

I'm also interested in testing out Q-Feeds.

Steffen

Please find the instructions in your PM. Feel free to share your initial findings here with us.

Quote from: mrpink on October 02, 2025, 12:00:27 PMHi Stefan,

I'm also interested in testing out Q-Feeds.
I have a homelab with some public services and till now I'm using crowdsec and some public IP blocklists.

Thanks Rene

Thank you Rene. I've sent the instructions to you via PM. Please let us know your thoughts.

Is there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.

Quote from: Monviech (Cedrik) on October 02, 2025, 01:09:02 PMIs there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.

Indeed, at the moment this can only be done via a separate alias and firewall rule that matches before the Q-Feeds block rule. Of course, we do everything we can to prevent false positives. If you do encounter one, you can report it via support in the TIP.

And thank you for your input – this is a very good feature request, and we'll definitely add it to the roadmap!

A few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?

Quote from: Kets_One on October 02, 2025, 01:27:43 PMA few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?

Thank you for sharing your findings, much appreciated.
Hereby our answers:

- The logs can only be found in the OPNsense firewall logging when you enable logging for the Q-Feeds block rule. No information is uploaded from OPNsense to the TIP, so you won't see these block actions appear there.
What you can do with a paid subscription is look up IP addresses in the TIP to get more detailed information (context) why a specific IP is included in our database.

- The widget already gives you insights into the number of blocked IPs/URLs directly within OPNsense. Currently, there is no alert functionality (such as email or SNMP notifications). That said, this is excellent input — we'll take it with us for future development.

- The threat IPs/URLs are indeed downloaded locally to OPNsense (not checked live against our database).
•⁠  ⁠Q-Feeds community (Free): updated every 7 days
•⁠  ⁠Q-Feeds Plus (starting at €99 per year per firewall/IP): updated every 4 hours
•⁠  ⁠Q-Feeds Premium (starting at €249 per year per firewall/IP): updated every 20 minutes

More information about our premium packages can be found here: http://qfeeds.com/opnsense (http://qfeeds.com/opnsense)

installed and activated. No issues so far

Hi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will

Quote from: Mo'Kai on October 02, 2025, 05:41:10 PMinstalled and activated. No issues so far

Thank you for confirming!

Quote from: willj8823 on October 02, 2025, 06:12:32 PMHi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will

Thank you, I've sent you the instructions.

Widget Not Functioning After Plugin Installation | Quick Fix

We've received feedback that the widget is not functioning well after installing the plugin.
After some investigation, we found that this happens because the configd service needs to be restarted.

You can fix this by either:

• Performing a full reboot, or
• Running the following command from command line:

 

service configd restart

Does this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.

I am interested in trying it out and sharing my experience.

Quote from: IsaacFL on October 02, 2025, 09:28:48 PMDoes this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.

Yes, we do support IPv6. However, the lifecycle of malicious IPv6 addresses tends to be relatively short. Because of this, the number of IPv6 IoCs we provide is more limited compared to IPv4. Let me know if you would like to test the Q-Feeds plugin/product.

Quote from: gtwop on October 02, 2025, 09:53:12 PMI am interested in trying it out and sharing my experience.

Thank you, Information is in your pm.

I would also be interested, when you need more testers.
Best regards,
   Marcus

Quote from: mzurhorst on October 03, 2025, 08:37:10 AMI would also be interested, when you need more testers.
Best regards,
  Marcus

The more input, the better!
We're especially interested to hear from all of you about:

• The user flow
• The widget (how it behaves and feels in practice)
• The results you're seeing
• And of course, the Q-Feeds TIP
  

Your feedback is incredibly valuable and will help us improve the overall experience.

Can you add me to your testers list as well.

Thanks

Quote from: Enigm69 on October 03, 2025, 10:15:22 AMCan you add me to your testers list as well.

Thanks

Done, looking forward to hearing your findings!

It would be nice to see the update date of the alias list, then you could also see if the list doesn't update for whatever reason.

Or at the services view should some more info's like the web dashboard.

Otherwise it works for now and setup is easy and unproblematic.

Followed installation guide, each step functioned properly.

Upon completion the Firewall/Aliases was populated under Name: __qfeeds_malware_ip.

System/Firmware/Status shows a warning: "Resolve plugin conflicts" with two drop downs.

(1) "View and edit local conflicts" under Name: os-q-feeds-connector (misconfigured),
Repository: unknown-repository.

(2) "Reset all local conflicts" after choosing: ***GOT REQUEST TO RESYNC***
Currently running OPNsense 25.7.4 (amd64) at Fri Oct  3 07:35:54 EDT 2025
Registering plugin: os-q-feeds-connector
***DONE***

But the warning remains, also ran an audit system came up normal no errors.

Other than that the plugin works well.

That warning is normal until the plugin is available in the opnsense repository.

I'd be interested in trying the Q-Feeds plugin as well, if there's still room.

Not doing much publicly but to protect my home LAN and some small services.

Thanks!

Hi Stefan,
Also interested in testing your product, currently I use ZA (home version).
Regards,
Craig

I'm interested as well, currently using ZA myself

Regards,
-Brian

Thanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

Quote from: Q-Feeds on October 04, 2025, 04:06:15 PMThanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

So far it's been easy to setup, having a checkbox in settings to auto add rules might be nice moving forward but not super difficult to add a couple floating rules either. I also did end up getting a few errors and I only see a single alias/feed in the rules to select but I show three lists in the GUI for the plugin:

Quotedownloaded index to /var/db/qfeeds-tables/index.json
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-04T11:47:47Z]
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Quote from: Lurick on October 04, 2025, 05:48:01 PM

Quote from: Q-Feeds on October 04, 2025, 04:06:15 PMThanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

So far it's been easy to setup, having a checkbox in settings to auto add rules might be nice moving forward but not super difficult to add a couple floating rules either. I also did end up getting a few errors and I only see a single alias/feed in the rules to select but I show three lists in the GUI for the plugin:

Quotedownloaded index to /var/db/qfeeds-tables/index.json
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-04T11:47:47Z]
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Hi Brian,

Thank you for your feedback. I think that's a great idea for our roadmap, we've added it right away. The domains and URLs are still to be implemented within the plugin but indeed they do already show up within the available feeds table. The DNS and URL feeds is the next big feature to be fully supported on our roadmap, we do expect this soon. We already do have possibilities to implement this using pi-hole or adguard f.e. if you're interested I can share the instructions for this workaround for now.

The errors you're seeing are actually expected. It means the plugin skipped the download of the new feed due to the rate limit related to the license. Community users are eligible for an update every 7 days, Plus users every 4 hours and Premium users every 20 minutes. If an update is triggered twice within those timeframes the plugin will show these 'errors'. Here's an overview of the available licenses: https://qfeeds.com/opnsense/

Best regards,

Stefan

I'm interested in trying it . Does it use the logs in any form for how it works ?

Quote from: dan786 on October 04, 2025, 11:43:52 PMI'm interested in trying it . Does it use the logs in any form for how it works ?

Thank you very much that you're willing to test it, already looking forward to your feedback. It will use aliases so you can define the firewall rules and link the alias with the firewall rule to block it based on our intelligence. I'll send you the instructions via a PM.

My context is a home user who still runs their own mail server as a residue from my business server before I retired. Could be called "knows some stuff, definitely not a network engineer". Currently I run free Crowdsec to not much effect.

Looking at your web page I see that your first window describes the mid-tier as adding "Commercial IP data" but in the table further down the page the "Paid" row excludes IP as well as the DNS and URL. Is Paid = Commercial, just inconsistent naming? If so, is that an error, if not then what are the definitions please?

Otherwise the differences are IoC lookup and update time. Given that sooner or later everything is an IP address, URL, what is actually meant by separating "Commercial" from "OSINT" and "Services"?

I have also read the manual and would like to try it, if you have room for another tester. Initially I would install it on an internal Opnsense where it would check what goes out from the protected component of our network, and if all goes well then try it for both directions on the edge, adding the other two subnets (IoT & DMZ) progressively.

Thanks a lot for spotting that, you're absolutely right! That's a mistake on our side. The "Plus" tier should indeed include Commercial IP data. We've corrected it, and really appreciate you catching that! https://qfeeds.com/opnsense/ (https://qfeeds.com/opnsense/)


OSINT (Open Source Intelligence) data comes from open sources like communities, news etc. Commercial (or paid) data comes from vetted, paid intelligence providers. We notice these feeds usually detect threats faster and with better accuracy and quality. Think about APT groups etc.  Services refers to the services around the TI and extra functionality that come with our Threat Intelligence Platform (TIP), like enrichment, faster updates, and extended IoC lookups.

We'd be happy to have you as a tester! Your setup sounds perfect for evaluating. I'll follow up with the details so you can get started.

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.
4. The Feeds list on the plugin shows three lists but the TIP console shows 4 feeds for the free tier and 8 for the top paid tier. It might be good to make this more clear in some way. Maybe even just a tooltip that says if the three shown lists in the plugin encompass all available feeds for the API token.

For the QFeeds site:
1. On the main qfeeds webpage have a more direct link to the TIP console and other products as well, there doesn't appear to be a direct way from qfeeds.com to access the TIP console or other pages
2. Attack surface page on TIP console, might be good to have account manager email or contact methods auto populated for easier communication between end user and the qfeeds teams.
3. Opnsense banner on the TIP dashboard seems to cover some messages that pop-up and the X in dark mode was near invisible with the current banner color. Additionally, every time I navigate to a new page it shows back up after being dismissed.
4. Dark mode version definitely needs improvement. Right now text is very hard to read in a lot of cases.
5. API Keys shows "Allowed IPs" as "any" but no way to change this. I assume limiting where API calls can come from is coming at some point but just wanted to ask mostly if that's the case.
6. Company Information lists other companies for "Parent Company", not sure if this is a good idea to have companies listed here but just wanted to call this out.
7. Is there an android app coming at some point? I see the app page under Settings but it just mentions iPhone so I wasn't sure.
8. Company Information seems a bit difficult to get to since it's buried in "Manage API Keys" from the main Dashboard and that's a different page from User's API Keys page. I definitely feel as though a Company Information/Settings area at the top next to OR within "Settings" menu would be much better.
9. Company Information seems to require a "Role" but that's empty for me and as such I cannot save any changes on that page.
10. I have a link under Manage Company that it supposed to take me to "https://tip.qfeeds.com/views/admin/companies.php" but when I click "Back to Companies" it takes me to the dashboard. I feel as though this definitely should be cleaned up and the "https://tip.qfeeds.com/views/dashboard/index.php?error=Access%20denied" should be displayed as a message as well or something to handle this better for users within a company.

Hi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Quote from: Lurick on October 05, 2025, 01:10:44 PMFeedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.

.............

Amazing Lurick! Thank you so much for this valuable feedback, really appreciate the time and detail you've put into it! We absolutely love it. It was quite a list, but we managed to address most of it right away! Here's our response:

For the plugin:

• There's a link to our website (which links to the TIP) under the help section. Since this is a bit hidden, we totally understand your feedback. We'll improve this in the next iteration.
• User hits are visible via the widget on the OPNsense dashboard. We're not planning to collect any user data to show in the TIP. The number of IOCs is also visible on the OPNsense dashboard widget. I agree it would be great to have such stats on the plugins main page as well. We'll add this to the roadmap.
• You're absolutely right! At the moment, the OPNsense plugin only supports IP lists, but we'll be adding Domains and URLs soon. Stay tuned ;)
• Thanks a lot! This was indeed a bug in the console, it's fixed now!

For the Q-Feeds site:

• We're currently not planning to include all TIP functionality directly on the website, but we agree it should be more accessible. Thanks for the suggestion, we'll discuss it internaly.
• Loved that feedback we've added a link to our contact page in the warning right away!
• That pop-up was super annoying indeed! It's fixed and much easier to read now.
• We've fixed this in many places already, but please let us know if you spot any more examples :)
• The limited allowed IPs are tied to paid subscriptions, since part of the license model depends on the number of firewalls (IPs). This is already functional but only editable by resellers or administrators. The field remains visible to end-users so they can distinguish between multiple keys.
• This was a fun one, thanks for catching it! Just to explain: the portal is designed for distributors, MSPs, and resellers as well. That field is meant for assigning end-users to resellers or resellers to distributors when applicable. Regular end-users and community users shouldn't see it anymore.
• We've updated the description. It's actually a Progressive Web App (PWA), so it's Android-ready too!
• Great catch, fixed it!
• Nice find! This issue was similar to observation 6. Thanks again for reporting it!
• Cleaned up and organized, everything now lives under 'Settings'.

Quote from: _tribal_ on October 05, 2025, 05:34:42 PMHi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you! Send you a PM with the instructions.

Quote from: dmurphy on October 05, 2025, 08:04:33 PMThank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Luckily you were able to sort it out but we'll update it in the guide anyway :), thanks for pointing it out!
Regarding the 'auto add rules button': On the roadmap :)

While V6 is not necessarily cleaner, cybercriminals are able to rotate IP addresses quicker. That said they're quite short-lived in our lists. And can agree with more, the more blocked the better !

"Dang is it hostile out there." --- dmurphy
Unfortunately it is...

Installation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Quote from: Patrick M. Hausen on October 05, 2025, 09:26:16 PMInstallation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Hi Patrick,

Thank you very much for your feedback!
Your suggestion regarding the aliases is a great idea and we'll discuss this internally.

As for the payment, I've sent you a PM to look into it further.

Looks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Quote from: Patrick M. Hausen on October 05, 2025, 09:47:37 PMLooks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Hi Patrick,

Thanks for checking, it seems the Apple Pay checkout didn't process correctly indeed. We've temporarily disabled Apple Pay while we look into this issue.

Regarding your question: the OPNsense Basic License was the former name of the Community Version. Together with OPNsense/Deciso, we decided to make this version freely available for the community, so the Basic Package is no longer available for purchase.

Thanks again for your feedback and for pointing this out and we would like to invite to try our check-out flow again :).

Hi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

I am as well for several years running ZA, and this looks to me like a potential contender/replacement. There are two hurdles with ZA currently;
- no Multicore support for Home licenses, which significantly impact network performance
- data collection/privacy

Several questions occurred to me when reading this topic;

Quotewe focus on blocking threats at the firewall level using real-time intel (malware IPs, domains, phishing URLs), so no heavy inspection overhead.

1. Thus this means you are not using netmap, but keeping it simple by locally updating/loading lists of blocking IPs populated into FW rules?
2. Are you at all collecting any data or telemetry from customers or installations of this plugin?
3. What specific OSINTs you use? I hope its not just some random scrape from internet
4. Which vetted Commercial providers do you use for the Paid sub?
5. This product looks similar to Spamhaus, Greensnow & others, what is the actual benefit from your point compared to these?

Regards,
S.

Quote from: llama6668 on October 06, 2025, 06:21:13 AMHi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi llama6668,

Thank you very much for your feedback! We've added it to our improvement list!

Quote from: Seimus on October 06, 2025, 10:19:45 AMHi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

............

Hi Seimus,

Thank you for your interest and the great questions! Good news upfront; you're not too late to the party, I'll send you the instructions in a minute.

Here are the answers:

• This is exactly what we're doing, we're just using the native packet filter (pf) to block based on the aliases
• No we don't collect any personal data regarding connections, blocks etc. The only thing we 'collect' or better say monitor are the API-request for pulling the latest Threat Intelligence. All the data we collect is also visible in our TIP. To provide an overview we collect: Date and time of when the API call has been made to pull in the TI, IP addresses (licenses are bound per firewall), and the client header to see which platform is being used (in this case OPNsense off coarse).
• We don't just scrape data from the internet. Our threat intelligence is built from over 2,500+ different sources, combining commercial, public, and proprietary intelligence. This includes commercial and paid feeds such as URL, botnet, malware, IP, and intrusion databases, alongside public OSINT from social media, dark web, and phishing data. In addition, we enrich our intelligence as well with proprietary sources from our own honeypots, network activity, logs, and scans.
  
  What really sets Q-Feeds apart is how we connect the dots between these different pieces of intelligence, creating a more comprehensive and contextual threat picture. To ensure high data quality, we only use verified and trustworthy sources. We validate all data against RFC internet technical standards, false positives and so on. We remove duplicates, and apply relevance filtering to keep the most accurate and actionable intelligence.
  
  This layered approach ensures our feeds are reliable, validated, and meaningful, not just random data from the web.
• It's a combination of the leading cybersecurity vendors in the world. We're not able to provide you the details because of agreements we've made with them.
• I could tell you a great story that we're the absolute best compared with them, but better is to advice you to take it to the test ;-) We believe in the world of cybersecurity every solution is complementary to each other.

Kind regards,

David

Hello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Quote from: Seimus on October 06, 2025, 12:01:31 PMHello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Even better, in some cases we see a drop in the firewall load since we're blocking all the crap :) I'm glad you're as enthusiastic as we are, looking forward to your feedback! I've send you a PM with the instructions ;)

Stefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Quote from: passeri on October 06, 2025, 12:16:59 PMStefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Hi Passeri,

Licensing is per firewall indeed, we check it based on IP. This is not applicable for the community version, that's an all you can eat recipe with no restrictions besides the refresh rate. That said for every firewall you need a new API token in order to be able to pull the data.

Kind regards,

David

This sounds really good. I'm not sure I'd be able to offer any useful feedback, but I am very likely to deploy this at home - when is 'general availability' forecast? Thanks.

Quote from: Taunt9930 on October 06, 2025, 06:14:11 PMThis sounds really good. I'm not sure I'd be able to offer any useful feedback, but I am very likely to deploy this at home - when is 'general availability' forecast? Thanks.

Thanks, Taunt9930! I believe every bit of feedback is valuable, so I'll send you the instructions anyway then you can decide if you're up for it.
We're on track for a public beta in the next OPNsense release, with general availability following shortly after that.


Kind regards,

Stefan

This is just a brief very short initial sump-up, I don't have (yet) access to the other features in TIP,


The Good:
1. easy to install
2. easy to deploy
3. easy to manage
4. Huge list of OSINT based entries (actually this surprised me)

----------------
----------------

The Bad:

Documentation:
1. Documentation needs rework, even thou is simple enough its bit janky
2. Keep in mind not every user is knowledgeable or feels confident, showcase of exact rules with screenshots is necessary

Q-feed plugin:
1. No option for auto deployment of necessary rules
2. No possibility of whitelisting
3. There is no possibility to choose which feeds to install e.g push to aliases

OPNsense widget:
1. The OPNsense widget on GUI is bit janky, cant resize it properly, if its resized on landscape the Logo is cut

Miscs:
1. I do not see a possibility via OPNsense GUI or TIP to report possible false positive (except to open a ticket)

TIP:
1. Not sure why, but on a newly created account in Telemetry Data there are some logs already present with a token that is not associated to any of the created account API tokens

----------------
----------------

The requested:

Q-feed plugin:
1. I would welcome an option to auto deploy the rules, taking two approaches as a floating rule or as a rule within a Group. Groups on OPNsense work as a policy that can be inherited and pushed onto FW interfaces, this is superb for management and deployment.

2. We really need a whitelisting possibility in the plugin UI itself, sooner or later a false positivite will be a reality, its extremly annoying to create a specific rule just for this and its prompt to human errors. OPNsense aliases support revert matching, you can take advantage of this for example if an user wants to white list an IP it could be pushed into the q-feed created alias as !IP replacing the IP.

3. The TIP interface is overall nice, but its only remotely, would it be possible to have it in OPNsense directly? You are already using API keys for the DB, what about having the possibility to show it in the UI in OPNsense or at last some of the functionality?

4. The current Q-feed plugin is under services, assuming you will expand its categories and possible functionality I think it would be better to have a separate main category for it instead having it in services.

5. Would be nice if we can turn off and on the feeds e.g aliases we want, I know this may sound silly, but for example if I decide for testing purposes to disable the IP feed I cant, can be done only by disabling or removing the rule. This could be as well co-implemented into the GUI widget to show which feeds are provided by the licenses and which ones are active by user choice.

OPNsense widget:
1. The widget for Q-feed in OPNsense is bit plain for my taste, would it be possible to enhance it and show the TOP talker per packet/hit count? Basically show TOP most matched IPs/Domains/etc.

Miscs:
1. Not sure how to properly report a false positive that occurred in the Q-Feed DB, I assume via ticket in TIP, however you could create a simple portal where an user will fill in the IP/domain, category and reason, which on your end would flag an IP or URL for review

2. I would welcome a possibility in TIP to put a description or a name for each API key, in case of several deployments to various FWs/Edge devices this would help to identify to which device what API key is assigned

3. Can you please share your roadmap, in regards of the product itself but as well in regards of OPNsense

4. Maybe this is bit to much ask, but you provide 1y 2y 3y subscription licenses, would it be possible to give some % off depending on the year of sub? (1y base price, 2y 5%, 3y 10% off for example)

Regards,
S.

The reports (https://tip.qfeeds.com/views/reports/index.php?period=week) are not doing anything at all.

Quote from: Patrick M. Hausen on October 06, 2025, 08:57:17 PMThe reports (https://tip.qfeeds.com/views/reports/index.php?period=week) are not doing anything at all.

Seeing the same here, it just quickly refreshes the page.

Additionally, I do not see any hits on the API counter or anything in Logs within TIP.

Regards,
S.

Same same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)

A bit late but I would love to try it.

I'd be interested in trying the Q-Feeds plugin as well.
To protect my home LAN and some small services.

Thanks!

Quote from: halasizs on October 06, 2025, 09:57:44 PMI'd be interested in trying the Q-Feeds plugin as well.
To protect my home LAN and some small services.

Thanks!

I've sent you the instructions per PM. Looking forward to hear your findings.

Quote from: sopex8260 on October 06, 2025, 09:51:53 PMA bit late but I would love to try it.

Details are in your PM, thank you very much in advance!

Quote from: Patrick M. Hausen on October 06, 2025, 08:57:17 PMThe reports (https://tip.qfeeds.com/views/reports/index.php?period=week) are not doing anything at all.

Quote from: Seimus on October 06, 2025, 09:02:28 PM

Quote from: Patrick M. Hausen on October 06, 2025, 08:57:17 PMThe reports (https://tip.qfeeds.com/views/reports/index.php?period=week) are not doing anything at all.

Seeing the same here, it just quickly refreshes the page.

Additionally, I do not see any hits on the API counter or anything in Logs within TIP.

Regards,
S.

Sorry for the hick-up! This has been fixed! Although the functionality is mostly meant for resellers and distributors ;)

Kind regards,

David

Quote from: Patrick M. Hausen on October 06, 2025, 09:06:01 PMSame same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)

Thank you, Patrick!
We really appreciate your support and don't worry, we won't let you down! :)

I'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

Quote from: cookiemonster on October 06, 2025, 10:34:43 PMI'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

The more, the merrier! :) Details are in your inbox.

Quote from: Q-Feeds on October 06, 2025, 10:41:47 PM

Quote from: cookiemonster on October 06, 2025, 10:34:43 PMI'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

The more, the merrier! :) Details are in your inbox.

Got them. Thanks !

Quote from: Seimus on October 06, 2025, 08:17:09 PMThis is just a brief very short initial sump-up, I don't have (yet) access to the other features in TIP,


The Good:
1. easy to install
2. easy to deploy
3. easy to manage
4. Huge list of OSINT based entries (actually this surprised me)

.................

Wow thanks so much for the great list of feedback! Here's our response:

Documentation:
Noted! We agree and will update this soon.

Q-Feeds Plugin:
Auto deployment is listed on the wishlist
Whitelisting as well
Feed choice as well

Widget:
Totally agree as wel, will be updated with better stats as well.


Miscs:
False positive reporting is now done with the support feature in the TIP but I agree we could improve this. Noted!

TIP:
Regarding the strange logs: Unfortunately wasn't able to reproduce this but very keen if other users had this same experience?


The requested:
1. Noted!
2. That could be a great way to implement whitelisting, thanks! We will discuss this with the developers at Deciso as well.
3. I'm afraid this one is for the long term. main reason is maintainability since we do support other firewalls, SIEM, SOAR, EDR/XDR etc. platforms as well. But while we grow we can do more ;)
4. Noted, again will discuss this with Deciso as well.
5. Agree! We will also implement a function which provides an option to limit the number of IOCs for devices with less memory.

Widget:
1. Yes!


Miscs:
1. Noted, will improve this on a short notice!
2. Great feature request, and totally agree as well! You're filling our backlog :)
3. We don't have a public roadmap (yet) but I'm sure that we will implement most of the suggestions in this topic. At the moment for OPNsense and our product we're in a very early beta phase, we'll keep you posted ;)
4. That's already the case.

Thank you very much for your long list! I've added it to our (already long) feedback list and we will keep you posted.

Kind regards,

David

Quote from: Patrick M. Hausen on October 06, 2025, 09:06:01 PMSame same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)

First of all thanks for your support!

With the plus license you can use the Threat Lookup function to check your hits. We don't collect the hits on your firewall though so currently you should copy the IOC from the logs into Threat Lookup to gather more context about why an IP is in our TI. We've added an integration to the wishlist within the plugin but it won't be on the short list for now.

Kind regards,

David

Quote from: Q-Feeds on October 06, 2025, 11:10:47 PMThank you very much for your long list! I've added it to our (already long) feedback list and we will keep you posted.

Kind regards,

David

Same here, thank you for replying to each individual question/point, feels refreshing. These days to get straight answers from vendors is painful (anyone who was experience with enterprise based TAC cases knows the feeling).

Quote from: Q-Feeds on October 06, 2025, 11:22:51 PMWith the plus license you can use the Threat Lookup function to check your hits. We don't collect the hits on your firewall though so currently you should copy the IOC from the logs into Threat Lookup to gather more context about why an IP is in our TI. We've added an integration to the wishlist within the plugin but it won't be on the short list for now.

Kind regards,

David

While this is awesome that you don't collect any information about what was hit (I feel this is a strong selling point as well), keep in mind that the Community License doesn't have this feature allowed. And I see here a problem and a possible flood of user tickets forum or portal.

There is an use case to consider:

If an user with the free Community license starts to see a block for a particular Destination, there is no possibility to check why is that the case as the IoC lookup is not available to them. This can cause either a significant amount of tickets on your end or on the OPNsense forum end.
Would you maybe consider to allow IoC lookup as well for Community license but maybe limit it to 5 lookups per day?

Regards,
S.

Or N/week, given the Community licence works on a weekly update cycle.

Hi Stefan,

Here are my initial thoughts from last week when the thread was new - I just didn't get to post it:

QuoteHi Stefan,

The FW rule guidance in your manual is incorrect on a few counts and needs to be corrected:

1) The WAN interface will default deny any incoming connection. Unless providing external services and wanting to make sure the malicious IPs will not connect to your service - there's no real need to deny traffic source Q-Feeds.

2) The (v)LAN interface can never be the Source IP for the malware traffic blocked by q-feeds - unless you're actually hosting those networks behind OPNsense.

For the (v)LAN traffic the goal is to Reject (not drop) all traffic Destination q-feeds malware IPs. Another thing to note is that when applying the same rule to multiple interfaces you'll want to create a Floating Rule instead.


I'm interested to see how/if there's gonna be an overlap between packages needed to install q-feeds and packages provided by other repos, such as mimugmail. And since CE has a cadence of 2-3 weeks for a dot release the speed of fixing/adjusting q-feeds to the changes in core will be something to watch.

On a second read, there's a disconnect between the text and visual representation of the rule. The text is slightly better but for a I'm afraid many will default to reproducing the rule as visually depicted in the manual.


After reading the thread a few more ideas come to mind:

For the payed tiers - the 4h and 20 minutes update intervals may sound great on paper. In practice however with the added complexity a few things are bound to happen:

a) Low powered systems will be busy downloading parsing the new ip lists far too often and for a long time each time.

b) Especially on initial deployments where an alias dealing with false positives doesn't exist yet it may be disruptive for the enterprise and painful for the network admins having the playing field suddenly changing every so many hours or minutes.

I think it would be far better if the payed tiers would allow an arbitrary interval to be set, where the lower limit is what the plan allows. "Once a day" may prove to be a very popular choice regardless of the chosen plan.


These are just a few initial thoughts, I may be able to comment more once I get to test the plugin.


For anyone trying the plugin - don't forget to take a snapshot first. Murphy's always watching ;-)

Quote from: Seimus on October 07, 2025, 01:47:16 AM

Quote from: Q-Feeds on October 06, 2025, 11:10:47 PM........
There is an use case to consider:

If an user with the free Community license starts to see a block for a particular Destination, there is no possibility to check why is that the case as the IoC lookup is not available to them. This can cause either a significant amount of tickets on your end or on the OPNsense forum end.
Would you maybe consider to allow IoC lookup as well for Community license but maybe limit it to 5 lookups per day?

With the IoC you're walking a very thin line. If tracking a new emerging threat you don't want to tip your hand. Otherwise if the information is public there's no reason to withhold that information.

Checking the IP history would probably most helpful here, and inspecting the traffic seeing if dealing with a formerly bad IP that may have been reused for legitimate purposes.

Quote from: Seimus on October 07, 2025, 01:47:16 AMWould you maybe consider to allow IoC lookup as well for Community license but maybe limit it to 5 lookups per day?

Quote from: passeri on October 07, 2025, 02:24:53 AMOr N/week, given the Community licence works on a weekly update cycle.

With the Community edition, there's no support included, so IoC context requests submitted via a ticket might not receive a response. Besides 'no support' we will improve the false positive reporting as stated before. That said it's an interesting idea though, and I've added it to our feedback list. I don't expect we'll implement this anytime soon, but it's definitely noted.

Stefan

So the system seems to work. See screen shot.

Now, where can I find for each of these 403 blocks:

- source IP address
- reason it was blocked
- local service it tried to access
- country of origin
- source AS

?

Quote from: newsense on October 07, 2025, 09:19:49 AMHi Stefan,

Here are my initial thoughts from last week when the thread was new - I just didn't get to post it:

Hi Stefan,

The FW rule guidance in your manual is incorrect on a few counts and needs to be corrected:

1) The WAN interface will default deny any incoming connection. Unless providing external services and wanting to make sure the malicious IPs will not connect to your service - there's no real need to deny traffic source Q-Feeds.

2) The (v)LAN interface can never be the Source IP for the malware traffic blocked by q-feeds - unless you're actually hosting those networks behind OPNsense.

........

Hi Newsense,

First of all thanks for testing and thanks a lot for your feedback!

Regarding the 'WAN interface default deny' you're absolutely right! If you don't have any external services it might still be interesting to see which hits you have on our intelligence, besides that there's no real need. And the LAN interface Source is noted as well, we will update the documentation today.

On a broader note, unfortunately there's no 'one rule to rule them all' meaning every setup differs and everyone has different needs. We might want to make it more clear in the documentation that it's just an example.

For the development of the plugin we work closely together with Deciso themselves who actually already made some small changes in previous releases to the core in order to make the Q-Feeds plugin work. In the end when we release the plugin (GA) it will be part of the 'core' plugins maintained by Deciso. The next step (few weeks) will be that we're listed under the community plugins for and open beta purpose. If a hotfix would be needed we're able to, thanks to the partnership between Q-Feeds and Deciso.

Regarding the update interval; did you see any (major) performance hit while pulling in the threat intelligence? I haven't been able to reproduce while my dev-opnsense box is very limited in resources. (fair enough, there's not much traffic being processed)

Regarding the false positives: we're planning to improve both how they can be submitted and how they're handled directly on the OPNsense box. While false positives can always occur, suggesting they might impact the network every hour or even every few minutes feels a bit exaggerated. Incidents can definitely happen, but if they were happening that often, we wouldn't deserve to exist. In fact we've been running our threat intelligence across multiple platforms with multiple B2B customers for the past 13 months already, and in all that time we've only had two confirmed false positives.

That said I definitely do understand what you mean and I've added your suggestion to make it more flexible to the wishlist. Something else we're going to add is a possibility to limit the number of IOCs being pulled in for memory-bound devices while keeping the priority (risk-score) of the IOC in mind.

Thanks again for your valuable feedback!

Kind regards,

David

Hi David/Stefan,

Please find a few additional comments/questions on the plugin below.
1. How is the update process of the IoC list handled? Does it handle its own updates? How does the plugin know how often it can request updates?
Or are updates managed through the regular cron job for update of aliases under the System->Settings->cron? If so, how does the run frequency of that job relate to the update frequency enforced by the License?
2. I tried to lookup a few IoC IP-addresses via Threat Lookup and some lookups were successful, but for others I got an error or were not found.

Quote from: Patrick M. Hausen on October 07, 2025, 11:27:48 AMSo the system seems to work. See screen shot.

Now, where can I find for each of these 403 blocks:

- source IP address
- reason it was blocked
- local service it tried to access
- country of origin
- source AS

?

Well the easiest method is to use the live view with a template. Downside is that it's live; and doesn't show history.

Another way is to get the Rule ID via Firewall -> Diagnostics -> Statistics and look for the 32 character ID. With this ID you can search in you Plain View logs (Firewall -> Log Files -> Plain View) and see all the hits. Obviously this only works if you've enabled logging on the FW rule. Since you have a Plus license (Thanks!) IOC enrichment can be found using Threat Lookup on our TIP by copying the IOC. 

There are also a lot of possibilities to use external reporting, logging tools but that's another topic.

I do understand this is not very convenient and will add it to the list to further improve. For now it's a bit bound to how OPNsense handles the logging.

Kind regards,

David

Quote from: Kets_One on October 07, 2025, 11:54:03 AMHi David/Stefan,

Please find a few additional comments/questions on the plugin below.
1. How is the update process of the IoC list handled? Does it handle its own updates? How does the plugin know how often it can request updates?
Or are updates managed through the regular cron job for update of aliases under the System->Settings->cron? If so, how does the run frequency of that job relate to the update frequency enforced by the License?
2. I tried to lookup a few IoC IP-addresses via Threat Lookup and some lookups were successful, but for others I got an error or were not found.

Hi Kets_one,

The update process is indeed handled by the plugin. So when you save the api-token in the GUI it will first contact an API endpoint on our end which provides information about which feeds are available and at which times the feeds should be updated according to the license. If you hit the save button multiple times you might get a rate limit error (which we will improve) due to the fact that the plugin then tries to force refresh te feed while it shouldn't.

For the lookup function I'll try to reproduce it, I can see your lookup history in the server logs and will address it soon.

Kind regards,

David

The enthusiasm and amount of feedback positively overwhelmed us, thank you so much!
To give an overview of what we did with your feedback this far:

Done this far:

• Improved the documentation
• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity
• Added False Positive reporting functionality to the TIP
• Including tracking and notifications
• Added possibility to add descriptions with API-token
• Fixed a lot of bugs:
• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

Still on the feedback list:

• Plugin
• Better error handling rate limit notification
• Better error handling expired license notice
• Ability to set refresh rate
• Ability to set number of IOC limit
• Add support DNS/URL natively
• Whitelist functionality
• Improve reporting on hits
• Auto deploy floating rules
• Give the plugin a separate 'security' category in the menu instead of 'services'
• Integrate TIP functionality with plugin (not likely to happen)
• Widget:
• Improve overall look and feel
• Add stats like top talkers, next update etc.
• TIP
• Consider limited amount of lookups for Community version
• + many many more ;)

We can't promise timelines for all items, but we'll do our best to address as many as possible as soon as we can. This list mainly reflects the feedback we've received so far. It's not a complete overview, there's still a lot more great stuff coming up.

The call for testers is still open and if you have anything to add, let us know!

Im open for testing this, i have 3 diff firewalls with varying levels and types of traffic.

Quote from: Q-Feeds on October 07, 2025, 03:20:54 PMThe enthusiasm and amount of feedback positively overwhelmed us, thank you so much!
To give an overview of what we did with your feedback this far:

Done this far:

• Improved the documentation
• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity
• Added False Positive reporting functionality to the TIP
• Including tracking and notifications
• Added possibility to add descriptions with API-token
• Fixed a lot of bugs:
• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

Still on the feedback list:

• Plugin
• Better error handling rate limit notification
• Better error handling expired license notice
• Ability to set refresh rate
• Ability to set number of IOC limit
• Add support DNS/URL natively
• Whitelist functionality
• Improve reporting on hits
• Auto deploy floating rules
• Give the plugin a separate 'security' category in the menu instead of 'services'
• Integrate TIP functionality with plugin (not likely to happen)
• Widget:
• Improve overall look and feel
• Add stats like top talkers, next update etc.
• TIP
• Consider limited amount of lookups for Community version
• + many many more ;)

We can't promise timelines for all items, but we'll do our best to address as many as possible as soon as we can. This list mainly reflects the feedback we've received so far. It's not a complete overview, there's still a lot more great stuff coming up.

The call for testers is still open and if you have anything to add, let us know!

My initial impression of the app so far is positive ill highly the few things. i really like the simplicity of the install kind of reminds me on Maltrail . The lightweights witch good for those who are not running like a r620 or equivalent for home use. So far no stability issues on net that is around 500mb down. over all for home use i feel it better then Crowedsec and Suricata/snort . I have used most of them snort , Suricata , Crowdsec , Matrail and Zenarmor. if you want me compare them Qfeeds is by far the lightest and simplest compared to those.   I do have a few questions not sure if they been said . Will there be asn look up or any way to look up and get info on the particular address? second is for the updates is that a hardlimit 7days i feel that should be 3-4days just my opinion. I do realize the opnsense logging dictates what the addon can do.   

Quote from: Q-Feeds on October 07, 2025, 12:12:53 PMWell the easiest method is to use the live view with a template. Downside is that it's live; and doesn't show history.
[...]
There are also a lot of possibilities to use external reporting, logging tools but that's another topic.

I do understand this is not very convenient and will add it to the list to further improve. For now it's a bit bound to how OPNsense handles the logging.

I understand now. Since your service only updates that block list alias, there is of course no mechanism to report back. I did not use firewall rule logging until now.

The "Overview" looks good, showing IP addresses, ports, etc.

I'll check if the blocked packets end up in netflow even if there is never a flow established, really. If yes, I can create an ElastiFlow dashboard.

Thanks!
Patrick

Update: no netflow for blocked connections. Makes sense 😉

Quote from: danderson on October 07, 2025, 03:53:46 PMIm open for testing this, i have 3 diff firewalls with varying levels and types of traffic.

Thx and sound like a very nice test case, I've send you a PM!

Stefan.

Quote from: dan786 on October 07, 2025, 04:15:26 PMMy initial impression of the app so far is positive ill highly the few things. i really like the simplicity of the install kind of reminds me on Maltrail . The lightweights witch good for those who are not running like a r620 or equivalent for home use. So far no stability issues on net that is around 500mb down. over all for home use i feel it better then Crowedsec and Suricata/snort . I have used most of them snort , Suricata , Crowdsec , Matrail and Zenarmor. if you want me compare them Qfeeds is by far the lightest and simplest compared to those.   I do have a few questions not sure if they been said . Will there be asn look up or any way to look up and get info on the particular address? second is for the updates is that a hardlimit 7days i feel that should be 3-4days just my opinion. I do realize the opnsense logging dictates what the addon can do.   

Thank you so much for your kind words and nice review!
ASN lookup and other IOC context are available in the TIP through Threat Lookup (for Plus and Premium licenses only).
I totally understand it would be great to have less strict refresh rates and features. Unfortunately, we can't offer that for free at the moment. Maybe once we have a bit more resources, we can loosen things up a little.

Quote from: Patrick M. Hausen on October 07, 2025, 04:43:25 PMI understand now. Since your service only updates that block list alias, there is of course no mechanism to report back. I did not use firewall rule logging until now.

The "Overview" looks good, showing IP addresses, ports, etc.

I'll check if the blocked packets end up in netflow even if there is never a flow established, really. If yes, I can create an ElastiFlow dashboard.

Thanks!
Patrick

Exactly! We've decided to collect only the data that's strictly necessary for the service to work. We believe that it's not up to us to see which connections you (willingly or not) make.  Combined with our European (Dutch) roots, we hope this approach could make a real difference for some decision-makers. The downside, however, is that we can't offer those fancy all-in-one portals :) . On the other hand, as you've proven, there are plenty of possibilities to handle the logging locally.

Thanks,

Stefan

Quote from: Q-Feeds on October 07, 2025, 03:20:54 PM

• Improved the documentation

• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity

The docs looks much more better now but you did a bit of a mistake.

Quote• Interface
o Select the interfaces on which you would like to block the connections. In this example we chose to
use both LAN for outbound and for incoming WAN. While you could select multiple interfaces for
either the inbound or outbound rule.

Both of your rules in pictures are for INBOUND for LAN as well WAN (as it should be), please correct this text to reflect it. This could enforce the idea that the Rule for LAN should be OUT instead of IN.

I think it should be worded like this

Quoteo Select the interfaces on which you would like to block the connections. While you could select multiple interfaces, in this example we chose to
use both LAN (towards Q-feeds destination) & WAN (from Q-feeds source) for INBOUND blocking.

-------------

Quote from: Q-Feeds on October 07, 2025, 03:20:54 PM

• Added False Positive reporting functionality to the TIP

• Including tracking and notifications

This looks really nice in TIP! Is this available as well for the Community license?

-------------

Quote from: Q-Feeds on October 07, 2025, 03:20:54 PMAdded possibility to add descriptions with API-token

This doesn't work for me, I changed the description I got a success pop-up but its not updated.

-------------

Quote from: Q-Feeds on October 07, 2025, 03:20:54 PM

• Fixed a lot of bugs:

• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

TIP reports page
The System summary report doesn't work I get an error "Error generating report: Network response was not ok and no error message was provided."

Regards,
S.

Hi David,

Een vraagje.
In de qfeeds alias ik zie dat er momenteel 725256 malware IPs zijn geladen.
Zouden dat er niet meer moeten zijn omdat ik (tijdelijk) een premium license heb?
Waar zijn de "Malware domains" en "Phishing URLs" opgeslagen?

Quote from: Seimus on October 07, 2025, 06:20:09 PMThe docs looks much more better now but you did a bit of a mistake.

Quote• Interface
o Select the interfaces on which you would like to block the connections. In this example we chose to
use both LAN for outbound and for incoming WAN. While you could select multiple interfaces for
either the inbound or outbound rule.

Both of your rules in pictures are for INBOUND for LAN as well WAN (as it should be), please correct this text to reflect it. This could enforce the idea that the Rule for LAN should be OUT instead of IN.
...................

Thanks ! Fixed the documentation again, we borrowed your text to make sure there are no mistakes anymore.

Yes the false positive reporter will always be available for community users as well! And the descriptions should work now.
The system report item is repaired by removing it, this was some old functionality which nog longer applies to the current setup of the TIP. Thanks for spotting it!

Quote from: Kets_One on October 07, 2025, 08:59:54 PMIn the Q-Feeds alias I see that there are currently 725,256 malware IPs loaded.
Shouldn't there be more since I (temporarily) have a premium license?
Also, where are the "Malware Domains" and "Phishing URLs" stored?

At the time of writing, that number indeed matches what the premium list contains. The total count alone doesn't say much — we can easily add more items if needed. Whether that actually makes it more valuable is doubtful though.

As one of many examples, the Premium feed includes more APT-related IOCs. There may not be many of them, but their impact is significantly higher compared to the OSINT lists, which mainly contain more brute-force and nmap-style IOCs. This is just one of the examples where the premium list really differs.

In the current version of the plugin, nothing is done yet with the Malware Domains and Phishing URLs. This is on the shortlist for an upcoming release.
If you happen to run Pi-hole or AdGuard, I can help you set those up there already.

Edit: translated to English.

Quote from: Q-Feeds on October 07, 2025, 10:17:05 PMMocht je toevallig Pi-Hole of Adguard draaien dan kan ik je wel op weg helpen om ze daar in te laden.

Please do so publicly if possible. I am also interested in loading the data into AdGuard Home.

Thanks!
Patrick

Quote from: Patrick M. Hausen on October 07, 2025, 10:54:15 PM

Quote from: Q-Feeds on October 07, 2025, 10:17:05 PMIf you happen to run Pi-hole or AdGuard, I can help you set those up there already.

Please do so publicly if possible. I am also interested in loading the data into AdGuard Home.

Thanks!
Patrick

(Translated the quote to English, my mistake I responded in dutch previously...)

In both Adguard or Pi-Hole you can add a list this way:

Domains:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=XXXXXXX

URLs
https://api.qfeeds.com/api.php?feed_type=phishing_urls&api_token=XXXXXXX

Obviously replace "XXXXX" with your own token.

For even more creative constructions we have this page which describes the current functionality of our API endpoints: https://api.qfeeds.com/openapi/ (https://api.qfeeds.com/openapi/)

I do want to emphasize that we're planning to implement it in the OPNsense plugin. But for those who can't wait this is a workaround for now :) Please also note that these platforms are not officially supported.

429 Rate Limit Exceeded.

Why?

Thanks,
Patrick

Quote from: Patrick M. Hausen on October 07, 2025, 11:21:56 PM429 Rate Limit Exceeded.

Why?

Thanks,
Patrick

Aah you're using the same API token on both OPNsense as Adguard that conflicts. For multiple platforms you need multiple API tokens. Since you do have an active license with support I'll help you set it up in PM.

Quote from: Q-Feeds on October 07, 2025, 11:25:29 PMAah you're using the same API token on both OPNsense as Adguard that conflicts. For multiple platforms you need multiple API tokens. Since you do have an active license with support I'll help you set it up in PM.

I would like to as well load it into my Piholes (have a HA Pihole setup). Having preventive block on DNS combined with the one on FW is a welcome implementation.

Here I have a question about the licenses and API keys or better to say a sum-up. From the "Manage API Keys" I can see that I can setup up to 5 API keys.

Q1. Is the limit of API keys so 5 the max per account or this is depending on the subscription?
Q2. In regards of what has discussed before in this topic, each API key is linked to a subscription, so 1 API key per 1 type of license?
Q3. Pihole or Adguard can block only based on Domains. Did you maybe consider a "tiny" or a "DNS blackhole" subscription where you would provide only Domains as none of them can block based on IPs anyway?
Q4. In regards of Q2 this means 1 API key is limited to one single device due to the rate limit introduced by the subscription?

-----

Another idea,
in TIP would it be possible to provide graphs for respective categories in the "Threat Intelligence Overview"? This could be maybe useful for following the trend of IoCs. Not sure if it would be for any use tho, other than potential Tshooting.

-----

In TIP the View API logs have a field called "Auth Method" but it doesn't show any Auth method. It shows if the API call was successful or not, basically it represents in words the status code. Maybe this field should be renamed?

Regards,
S.

Quote from: Seimus on October 08, 2025, 01:32:04 AM

Quote from: Q-Feeds on October 07, 2025, 11:25:29 PMAah you're using the same API token on both OPNsense as Adguard that conflicts. For multiple platforms you need multiple API tokens. Since you do have an active license with support I'll help you set it up in PM.

I would like to as well load it into my Piholes (have a HA Pihole setup). Having preventive block on DNS combined with the one on FW is a welcome implementation.

...................

Hi Seimus,

Thanks again for you great questions and suggestions! You're a great help!

A1. Currently we've set the limit to 5 keys per account but we can change this as needed. We might set it to unlimited when we go for the general release.
A2. That's correct, pricing is also based on per firewall/device and per beneficial user.
A3. Hmm we didn't actually up until now. We'll take it in consideration. Thanks for this great idea!
A4. Correct, that's due to the rate limit and if there are issues it makes troubleshooting easier as wel.

The idea to browse our Threat Intelligence, show trends, track APT groups, news, etc are all ideas we're planning to further expand the functionality of the TIP. Also dark web monitoring and other Attack Surface functionality is under development. It takes a lot of investment to develop and run such functionality though so we're in desperate need of some funds in order to develop this :) :)

Regarding the Auth Method, that would be way prettier indeed. I've added it to the list. Thank You!!

Upgraded to OPNsense 25.7.5, reboot is required.

After reboot total __qfeeds_malware_ip, malware_ips loaded = 0

Quote from: gtwop on October 08, 2025, 04:01:54 PMUpgraded to OPNsense 25.7.5, reboot is required.

After reboot total __qfeeds_malware_ip, malware_ips loaded = 0

Hi Gtwop,

It could take a little while before those stats are reloaded. The alias is not emptied though, it's just the statistics. Can you let me know if the stats in the widget reappeared?

That said I think there's definitely room for improvement so thank you for your feedback! We've added it to our list. 

No, the alias content itself is 0. It happened to me as well after a reboot. The plugin says I'm rate limited.

I would expect that I can redownload the same set of data as many times as I want (with request boundaries set to prevent ddosing).

I thought 7 days meant the data does not change for 7 days, but I can redownload the same set of data more than once?

I also experience frequent "rate limiting" blocks when I look at the logs. With the default settings.

P.S. Same same - 0 loaded after update and reboot.

P.P.S. If your rate limiting is implemented like "1 request every x minutes maximum" - that is not going to work, because there will be a new reqest every time I reboot my firewall and one cannot tell when the last one happened.

Better: have the plugin perform one request per hour and rate limit to e.g. 5 requests per hour.

BTW: why rate limit at all? All requesters are registered customers with an API token even for the free tier. Abuse is not probable - people are installing your software and letting it do its thing.

Over 4 hours since upgrade, some feedback.

Firewall: Aliases: __qfeeds_malware_ip, loaded# 0

Firewall: Diagnostics: Aliases Showing 0 to 0 of 0 entries

Issued this command several times: "service configd restart" No change.

Services: QFeeds Connect:Settings: Re-Apply API Key

Error reconfiguring QFeeds connect
downloaded index to /var/db/qfeeds-tables/index.json
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Under folder:
/var/db/qfeeds-tables/, I see four files: malware_domains.txt
                                          phishing_urls.txt
                                          malware_ip.txt
                                          index.json

Updated: Oct 5th
Next update: 2025-10-12T23:35:10Z

My understanding is, it will refuse connections until the next due update.

You can use TIP > Manage API Keys > Edit to activate a 5 minute override during which no rate limiting applies.

I would prefer a permanent solution, too, but for the moment that will probably help you. Worked for me - at least the alias is now populated. The widget still shows 0/0. I did a full reboot of my firewall.

I tried several times to get another API Key, all I get on the upper corner in red letters is: "Warning          X"

Click on the X nothing changes.

Don't try to get another key - you can activate an override of 5 minutes for your existing one.

Thanks Patrick M, I used your advise and it worked, the alias is now populated.

Also Thx to Patrick, the override and then re-apply in the service under qfeeds re-populated the alias with info.  As i was also getting the rate limiting error.
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Quote from: Patrick M. Hausen on October 08, 2025, 08:31:37 PMDon't try to get another key - you can activate an override of 5 minutes for your existing one.

Thanks Patrick for helping out! This issue is high on the priority list! Will keep everyone updated.

It's been a while and I didn't receive any PM on how to set up qfeeds. Is the beta testing over or having enough accounts already ?

Quote from: newsense on October 09, 2025, 07:51:01 AMIt's been a while and I didn't receive any PM on how to set up qfeeds. Is the beta testing over or having enough accounts already ?

Apologies, it seems I overlooked your earlier message. The beta testing is still ongoing, and we'd be happy to get you set up with Q-Feeds.

I'll send you a PM with the setup details so you can get started right away.

Stefan

The homepage has in big bold large font platform spelled incorrectly

As a business user of Opnsense is this actually going to replace geoip?   My understanding is Opnsense provides the ip addresses currently to be blocked by country

A query, and a minor cosmetic issue.

The e-mail on setup advises to "Rotate API keys regularly". This is not in the manual. Please describe the need and frequency further.

The latest manual refers to QFeeds_ip_malware whereas when setting up the rule the alias discovered is __qfeeds_malware_ip

Hi,

I'm also interested in testing out Q-Feeds.

Xavier.

Quote from: DEC670airp414user on October 09, 2025, 12:05:56 PMThe homepage has in big bold large font platform spelled incorrectly

As a business user of Opnsense is this actually going to replace geoip?   My understanding is Opnsense provides the ip addresses currently to be blocked by country

That was quite a stupid typo :) Thanks for pointing it out!

No, it's not replacing GeoIP. GeoIP blocks IPs based purely on geographic location, basically saying "block everything from this country." But from a security perspective, that approach isn't really sufficient and sometimes even disrupts valid services. It's also quite easy for cybercriminals to just host malicious stuff within 'trusted countries'.

For example, we have to trust certain countries because many legitimate services are hosted there (think of CDNs, cloud providers, etc.), yet within those same countries, you'll still find malicious infrastructure. And the opposite is true as well, not everything coming from a country that's often blocked is necessarily bad.

That's exactly what we're focussing on, instead of blindly blocking by country, we focus on verified malicious activity. So you only block what's actually harmful or at least unwanted.

That said. You can still block using GeoIP if your situation allows it. It's a different approach though.

Quote from: passeri on October 09, 2025, 12:16:33 PMA query, and a minor cosmetic issue.

The e-mail on setup advises to "Rotate API keys regularly". This is not in the manual. Please describe the need and frequency further.

The latest manual refers to

Code Select Expand

QFeeds_ip_malware whereas when setting up the rule the alias discovered is

Code Select Expand

__qfeeds_malware_ip

Thanks for your feedback! Fixed the email template by removing that sentence. And we'll update the manual shortly!

Quote from: IxPo on October 09, 2025, 12:18:27 PMHi,

I'm also interested in testing out Q-Feeds.

Xavier.

Thanks in advance, we will send you a PM shortly!

Hi,

Also interested in trying this out.

Misja

Quote from: BoodahsFever on October 09, 2025, 01:30:17 PMHi,

Also interested in trying this out.

Misja

It's in your inbox!

I have two Opnsense firewalls and would like to try this out if possible.

Thanks

Rob

Quote from: robddavies on October 09, 2025, 05:13:59 PMI have two Opnsense firewalls and would like to try this out if possible.

Thanks

Rob

We are looking forward to hearing your feedback!

Hello, if possible, I would like to try this out as well. Cheers!

Quote from: wbennett on October 09, 2025, 06:11:09 PMHello, if possible, I would like to try this out as well. Cheers!

In your PM! Thanks.

Wow, great discussion until now. I'd like to test it as well.

Reading the entire 9 pages, I already have a few comments/questions ;-) :

- alerts/notifications were mentioned via email/snmp

Webhooks would be great as well. e.g. this makes it possible to use a bunch of external systems like gotify.
Since this is a partnership, maybe an OPNsense core service for notifications can be created (email, snmp, webhooks, ...) and the QFeeds plugin just uses what is set up there. I am sure there are other plugins and even OPNsense internal areas where notifications could be beneficial.

- clarification of device/user licensing (opnsense, pihole)

pihole was mentioned to block domains. But it was also mentioned that you need a different API key. Does this mean that I do need 2 subscriptions, if I were to buy the plus plan) to use the opnsense plugin and my pihole (on a different box in my home network)? On the free plan, do I still need 2 API keys for opnsense and pihole?

- feedback on feedback

The things that came up in the feedback so far which are most important/interesting to me are:

- auto deploy rules
- reporting/stats (e.g. keep track of the top X (10-100) blocks, timestamp, source, reason, ... in a db or even just a text file. I don't want to manually search multiple logs)

Quote from: tessus on October 09, 2025, 07:54:51 PMWow, great discussion until now. I'd like to test it as well.

Reading the entire 9 pages, I already have a few comments/questions ;-) :

- alerts/notifications were mentioned via email/snmp

Webhooks would be great as well. e.g. this makes it possible to use a bunch of external systems like gotify.

........

Hi Tessus,

Great to have you in the test group as well, I'll send you the details right after I've posted this message.

- Alerting / Notifications

I'll bring it up with the team. Although as you mentioned as well, I think this should be broader then just the Q-Feeds plugin.

- License clarification
For the community edition users do need two API-keys indeed. For paid subscriptions we will help you out so it's just one subscription ;-)
Due the feedback we've received we're looking into options to revisit the current behavior with the rate limit and the way subscriptions are 'enforced'.

- Feedback on the feedback on feedback :D
We actually had quite a long brain storm today about the auto-deploy rules feature. For now, we've decided to put it on hold, mainly because there's really no "one rule fits all" approach. We're also cautious that users might assume, "If it's auto-created, it must be correct."
What's your take on this? How would you imagine a perfect auto-deploy function that works for everyone (or at least most users)?

-Reporting stats
On this part we've actually made some great progress today so for the release version we're planning for an extra tab called 'Events' which will show the logs/events related to the Q-Feeds intelligence.

I realized I forgot to reply to the earlier quote but thank you for addressing those concerns I had so quickly!
One thing I just realized might be good to have on the roadmap is whitelisting. Either inbound or outbound integrated into Q-Feeds. Say I want a host to to not be restricted by q-feeds but still protected in other ways if that makes sense, it would be good to be able to easily whitelist source/destinations (public or private IPs) without the need for additional floating rules.

You do not need additional floating rules.

In the current one, set an Alias as Source (invert it in the rule) in which you add all hosts that should be excluded.

This means, all hosts that are not the ones in the alias will be inspected.

Same can be done with a inverted destination alias.

Quote from: Monviech (Cedrik) on October 10, 2025, 05:38:10 PMYou do not need additional floating rules.

In the current one, set an Alias as Source (invert it in the rule) in which you add all hosts that should be excluded.

This means, all hosts that are not the ones in the alias will be inspected.

Same can be done with a inverted destination alias.

Awesome! That works perfectly :)

Hello,
I didn't see that topic.
I'd like to try it.
I dropped suricata on Lan and vlan interfaces as it was causing issues when i have a spike in traffic.
I use crowdsec on wan but i had to desactivate it for nextcloud (too many false positives). Still active for other apps.
For now the most effective is geoip blocking inbound connections. It's ok for a homelab not so much for a company.
For the test do you need crowdsec disabled ?

Hi,

I'll give it a go if you still need more testers.

Thanks
Ray

Quote from: caplam on October 10, 2025, 08:14:20 PMHello,
I didn't see that topic.
I'd like to try it.
I dropped suricata on Lan and vlan interfaces as it was causing issues when i have a spike in traffic.
I use crowdsec on wan but i had to desactivate it for nextcloud (too many false positives). Still active for other apps.
For now the most effective is geoip blocking inbound connections. It's ok for a homelab not so much for a company.
For the test do you need crowdsec disabled ?

Great thanks in advance, I'll send you the instructions shortly. No there's no need to disable crowdsec.

Quote from: n0ahg on October 10, 2025, 08:40:27 PMHi,

I'll give it a go if you still need more testers.

Thanks
Ray

Great! Thank you in advance Ray, I'll send you the instructions shortly.

Thanks for your answers.

Quote from: Q-Feeds on October 09, 2025, 08:54:16 PM- Alerting / Notifications

I'll bring it up with the team. Although as you mentioned as well, I think this should be broader then just the Q-Feeds plugin.

Yea, this is something that might have to be developed with the OPNsense core team together. That is, if they want to have a "notification service" that is available to all of OPNsense (and its plugins). If not, alerting/notifications would still be important for your plugin.

As for a general design for notification/alerts, people should be able to create multiple "providers" (email, webhook, snmp, push service, ...) for sending alerts/notification. And then the user just chooses one or more providers for sending out alerts/notifications.

Quote from: Q-Feeds on October 09, 2025, 08:54:16 PM- Feedback on the feedback on feedback :D
We actually had quite a long brain storm today about the auto-deploy rules feature. For now, we've decided to put it on hold, mainly because there's really no "one rule fits all" approach. We're also cautious that users might assume, "If it's auto-created, it must be correct."
What's your take on this? How would you imagine a perfect auto-deploy function that works for everyone (or at least most users)?

I can give you a better answer after I have tested your plugin in more detail.

But I can imagine the following workflow and settings:

1. create a new rule automatically
2. leave the rule inactive or activate it (create a new setting, so people can choose)
3. send a notification/alert (create a new setting, so people can choose)

as for 2, one could even go further and create several "classes" or "groups" of rules, which allows users to create activate/keep-inactive setting per group. (but that might overdo it, just thinking out loud...)

Quote from: tessus on October 10, 2025, 08:48:24 PMThanks for your answers.

Quote from: Q-Feeds on October 09, 2025, 08:54:16 PM- Alerting / Notifications

I'll bring it up with the team. Although as you mentioned as well, I think this should be broader then just the Q-Feeds plugin.

......

Thank you for your input! It would definitely be interesting to do so, especially if you're able to filter on it as well. So for example only notifications if machine X got a hit. We've added it to the list but it won't be soon.

That way of rule creation could work indeed, forcing a user to review them. We'll bring that to the table as wel! Thank you so much!

!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

We also added an event page to the plugin to see the actual activity. This will only work if you've applied logging on the rules where the Alias is bound to.

We've improved the widget with some more data.

And the plugin now moved from 'Services' to 'Security'

The new update scheme is already active. If you want to test the new Plugin functionality you can run the following command:

pkg add -f <same URL but with "-0.1_1.pkg" as extension>If you can't get it to work please send us a PM.

Please do not share the URL yet on the forum since we want to keep the testing group under control for now :)

Known issue: the widget on the TIP dashboard only shows the Premium count currently for all users. We will change this in the upcoming (work)days. We might spend some weekend hours on it :)

Once more we want to thank you all for you feedback! And obviously we keep on working on the rest of the list.

Kind regards,

Stefan

Quote from: Q-Feeds on October 10, 2025, 09:01:48 PM!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

We also added an event page to the plugin to see the actual activity. This will only work if you've applied logging on the rules where the Alias is bound to.

We've improved the widget with some more data.

And the plugin now moved from 'Services' to 'Security'

The new update scheme is already active. If you want to test the new Plugin functionality you can run the following command:

Code Select Expand

pkg add -f <same URL but with "-0.1_1.pkg" as extension>If you can't get it to work please send us a PM.

Please do not share the URL yet on the forum since we want to keep the testing group under control for now :)

Known issue: the widget on the TIP dashboard only shows the Premium count currently for all users. We will change this in the upcoming (work)days. We might spend some weekend hours on it :)

Once more we want to thank you all for you feedback! And obviously we keep on working on the rest of the list.

Kind regards,

Stefan

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

Quote from: Lurick on October 10, 2025, 09:44:48 PM

Quote from: Q-Feeds on October 10, 2025, 09:01:48 PM!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

.....

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

Wel it could take up to 30 seconds to load the actual events. The missing tab is interesting, can't seem to reproduce that. Anyone else experiencing that?

Updated,

I like the new changes.

1. The update was seamless, I had not issues at all. After update the Section moved from Services to a new main Section called Security.
2. The new Events TAB, is working for me, it loaded over 50K records e.g 4days. Is this hard-coded?
3. The events show as well Interfaces (NICE!) but only LAN based ones. The ingress block on WAN doesn't show the WAN interfaces in Events.
4. The widget is now much more better.

Regards,
S.

NOTE: The Events TAB takes time to load, as its parsing the log (Collected events from the firewall log for QFeed aliases), so the larger it is the longer it will take relative to the CPU performance.

I am not able to change my email address on the TIP web site.

I have noticed that the notifications are sent to the email I registered with. However, I usually like to add a modifier so that it is easier to filter. e.g. user+qfeeds@example.com

I am getting a warning:

QuoteQFeeds requires additional memory to be reserved for aliases. Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least 2 million items.

However, when I check my settings, it is blank and my default is 10,000,000. (Note: Leave this blank for the default. On your system the default size is: 10000000)

I'd rather not set a value there, but go with my default which is already 5 times the value the QFeeds plugin requires.

Quote from: Seimus on October 10, 2025, 11:31:51 PMUpdated,

I like the new changes.

1. The update was seamless, I had not issues at all. After update the Section moved from Services to a new main Section called Security.
2. The new Events TAB, is working for me, it loaded over 50K records e.g 4days. Is this hard-coded?
3. The events show as well Interfaces (NICE!) but only LAN based ones. The ingress block on WAN doesn't show the WAN interfaces in Events.
4. The widget is now much more better.

Regards,
S.

NOTE: The Events TAB takes time to load, as its parsing the log (Collected events from the firewall log for QFeed aliases), so the larger it is the longer it will take relative to the CPU performance.

Great to hear ! I'm glad you're happy with it.
Yes the 50K is hardcoded because as you mentioned it takes some time and resources to parse the logs as for now. We'll add the WAN comment to list, thank you!

Just updated the plugin. Looks like its working fine. Will keep an eye on it.

Quote from: tessus on October 11, 2025, 12:18:02 AMI am not able to change my email address on the TIP web site.

I have noticed that the notifications are sent to the email I registered with. However, I usually like to add a modifier so that it is easier to filter. e.g. user+qfeeds@example.com

I've added the ability to change your emailadres now. You do have to confirm your mail after changing it.

Quote from: tessus on October 11, 2025, 12:31:52 AMHowever, when I check my settings, it is blank and my default is 10,000,000. (Note: Leave this blank for the default. On your system the default size is: 10000000)

I'd rather not set a value there, but go with my default which is already 5 times the value the QFeeds plugin requires.

That's interesting, I was not able to reproduce this. Anyone else experiencing this?

Public beta.

We're feeling confident now that the plugin is stable enough for a 'public beta'. For anyone who wants to try Q-Feeds here are the installation instructions:

Login via ssh as root (or using sudo), and run the following command:

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-0.1_1.pkg
And for those missed it, this is also the update command.

The manual can be found here: https://qfeeds.com/opnsense/ (https://qfeeds.com/opnsense/) on the bottom of the page.

For those who want to check the source code, we've published that as well:  Github (https://github.com/opnsense/plugins/commit/27bd359a360166eae91d23b603bfb405f2d5b5f8)

We're still very keen to receive your feedback in order to improve the product! Thank you in advance!

Kind regards,

David

Hello,

Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"

It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.

What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :

Quote from: caplam on October 11, 2025, 11:47:44 AMHello,

Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"

It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.

What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :

Yes that's a known issue, we will sort this out soon.

Quote from: Q-Feeds on October 11, 2025, 09:48:36 AMYes the 50K is hardcoded because as you mentioned it takes some time and resources to parse the logs as for now.

Gives sense, but keep in mind even those 50K can for some users peg the CPU during load, cause not everybody is running official DEC HW or N100.
I would suggest here to create similar filtering as its in the official logs. Basically we can filter from last day, week, month, all. This is as well very good for Tshoots, or if I want to check back in history.

Would it be possible in the Events tab as well parse Source and Destination port for each of those states as well the action taken (allow, drop, reject)? (if it does not cause extra load on the CPU)


-----

I would like to propose as well another request most likely you have it on your roadmap but anyway.
We need more granular TI,PoC that are showed in TIP and polled into the OPNsense. Currently all is under 3 categories, but I believe it would be more beneficial to have subcategories.

For example we were doing some testing, and found out that Q-Feeds block public VPNs exit nodes such as Mullvad. Most likely this was due to some user of it was doing something that made it flagged into the TI. However this is to be expected as its a public VPN exit node and its shared, sadly it affects as well normal users not only the malicious ones. So having a subcategory like VPNs, would allow us to exclude it from blocking on the FW.

This as well goes hand in hand with whitelisting which would provide even more granular control within each category/subcategory.

Regards,
S.

Finally got around to installing this, and bought a plus license. Nothing much to add beyond the feedback already given - very impressed!

Agree with Seimus comments on VPN endpoints above

I don't think I've seen a comment for these:

-The manual/setup instructions don't explicitly tell you to enable logging for the rules you set up - that might not be obvious for less experienced users.

-Also when talking about Source/Destination and Block/Reject it says "For your LAN (source) rule you could use Reject" - per the rule examples is that not Rule 1 / Destination (rather than source)? 

How long before we might be able to utilise Domains and URLs feeds in OPNSense?

Quote from: Q-Feeds on October 10, 2025, 11:16:15 PM

Quote from: Lurick on October 10, 2025, 09:44:48 PM

Quote from: Q-Feeds on October 10, 2025, 09:01:48 PM!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

.....

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

Wel it could take up to 30 seconds to load the actual events. The missing tab is interesting, can't seem to reproduce that. Anyone else experiencing that?

Hmmm, interesting, here is a screenshot of what I see:
(https://i.imgur.com/bSS4InY.png)

Looks like the plugin didn't load for you properly, did you try to clear cache in the browser?

Regards,
S.

Quote from: Seimus on October 11, 2025, 01:17:38 PMLooks like the plugin didn't load for you properly, did you try to clear cache in the browser?

Regards,
S.

Yup, even opened opnsense in another browser since I use Firefox to be 1000% sure (Edge and Chrome in my case) and it always loads the same

Are you using a custom theme? If yes disable it.

Regards,
S.

Nope, just the Cicada theme from OPNSense
I did however try to use the stock opnsense theme too but the same results even after clearing cache and cookies on the browsers.
I also triple checked and no addons or anything are enabled either on the browsers.

Well Cicada is a custom theme. But if you tried the stock one and got same results there is something wrong.

Check the systems logs, when you click on the Events TAB if the logs show something going wrong.

Regards,
S.

I wonder, I did just install the new package over top without removing the old package, could that have caused issues?
What's the best way to uninstall so I can reinstall?

Command:
pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-0.1_1.pkg

You don't need to uninstall the old one.

I did the install just over the old one, it should seamlessly upgrade it.

To remove it you can run
pkg remove
 instead of

pkg add
Regards,
S.

Dang, I was hopeful but that still shows the same behavior even on stock theme
For logs I see this in the Web GUI log tab:
 (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.82/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-1: Connection refused

For backend I see:
[34c6aa36-3191-4630-92d7-cb4980e92036] Script action stderr returned "b'/bin/sh: /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py: not found'"

and

[8f76feea-fd1b-40e5-9b0a-9c4a4e852bfd] Script action failed with Command '/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py stats ' returned non-zero exit status 127. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py stats ' returned non-zero exit status 127.

One last question, on the Firmware > Plugins page I see
os-q-feeds-connector (misconfigured)

Is that anything to worry about?

Thats normal, once its put into the Core e.g proper repos it will not show anymore.

Regards,
S.

Quote from: Seimus on October 11, 2025, 12:44:14 PM

Quote from: Q-Feeds on October 11, 2025, 09:48:36 AMYes the 50K is hardcoded because as you mentioned it takes some time and resources to parse the logs as for now.

Gives sense, but keep in mind even those 50K can for some users peg the CPU during load, cause not everybody is running official DEC HW or N100.
I would suggest here to create similar filtering as its in the official logs. Basically we can filter from last day, week, month, all. This is as well very good for Tshoots, or if I want to check back in history.

............

Thank you for these great ideas! Some were already on the roadmap indeed; like the subcategories and whitelisting. I've added the filtering functionality to the backlog as wel, that might indeed solve the CPU load challenge.

Quote from: Lurick on October 11, 2025, 01:32:33 PMDang, I was hopeful but that still shows the same behavior even on stock theme
For logs I see this in the Web GUI log tab:
 (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.82/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-1: Connection refused

.........

Hmm interesting. Perhaps a reinstall of the plugin does the trick, like Seimus suggested ?
Otherwise could you provide us with the output of the following commands:

/usr/local/opnsense/scripts/qfeedsctl.py fetch_index -v
/usr/local/opnsense/scripts/qfeedsctl.py fetch -v
/usr/local/opnsense/scripts/qfeedsctl.py firewall_load -v

Quote from: Taunt9930 on October 11, 2025, 12:53:41 PMFinally got around to installing this, and bought a plus license. Nothing much to add beyond the feedback already given - very impressed!

Agree with Seimus comments on VPN endpoints above

I don't think I've seen a comment for these:

-The manual/setup instructions don't explicitly tell you to enable logging for the rules you set up - that might not be obvious for less experienced users.

-Also when talking about Source/Destination and Block/Reject it says "For your LAN (source) rule you could use Reject" - per the rule examples is that not Rule 1 / Destination (rather than source)? 

How long before we might be able to utilise Domains and URLs feeds in OPNSense?

First of all thank you very much for your trust and support!

Your documentation feedback is spot on and we will update it soon.

You can already use DNS if you're running AdGuard or Pi-hole. As mentioned, we're also adding this feature to the plugin. It requires some core changes, which is why it's taking a bit longer. We plan to release it later this year, though we can't give an exact timeline yet.

Quote from: Q-Feeds on October 11, 2025, 02:17:42 PM

Quote from: Lurick on October 11, 2025, 01:32:33 PMDang, I was hopeful but that still shows the same behavior even on stock theme
For logs I see this in the Web GUI log tab:
 (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.82/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-1: Connection refused

.........

Hmm interesting. Perhaps a reinstall of the plugin does the trick, like Seimus suggested ?
Otherwise could you provide us with the output of the following commands:

/usr/local/opnsense/scripts/qfeedsctl.py fetch_index -v
/usr/local/opnsense/scripts/qfeedsctl.py fetch -v
/usr/local/opnsense/scripts/qfeedsctl.py firewall_load -v

Sure, reinstall didn't fix it sadly

Quoteroot@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py fetch_index -v
send: b'GET /licenses.php HTTP/1.1\r\nHost: api.qfeeds.com\r\nUser-Agent: Q-Feeds_OPNsense\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nAuthorization: Basic {redacted}\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Sat, 11 Oct 2025 13:04:45 GMT
header: Server: Apache/2
header: X-Content-Type-Options: nosniff
header: Strict-Transport-Security: max-age=63072000; includeSubDomains
header: Upgrade: h2,h2c
header: Connection: Upgrade, Keep-Alive
header: Vary: Accept-Encoding,User-Agent
header: Content-Encoding: gzip
header: X-XSS-Protection: 1
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Referrer-Policy: no-referrer-when-downgrade
header: Feature-Policy: geolocation 'self'; vibrate 'none'
header: X-Download-Options: noopen
header: X-Permitted-Cross-Domain-Policies: master-only
header: X-DNS-Prefetch-Control: on
header: Strict-Transport-Security: max-age=31536000
header: Permissions-Policy: geolocation=*, midi=(), sync-xhr=(self "https://qfeeds.com" "https://www.qfeeds.com"), microphone=(), camera=(), magnetometer=(), gyroscope=(), payment=(), fullscreen=(self "https://qfeeds.com" "https://www.qfeeds.com")
header: Content-Length: 733
header: Keep-Alive: timeout=2, max=100
header: Content-Type: application/json
downloaded index to /var/db/qfeeds-tables/index.json
root@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py fetch -v
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-11T13:00:00Z]
skipped /var/db/qfeeds-tables/malware_domains.txt [2025-10-11T13:00:00Z]
skipped /var/db/qfeeds-tables/phishing_urls.txt [2025-10-11T13:00:00Z]
root@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py firewall_load -v
load feed malware_ip [no changes.]
root@firewall:/usr/local/opnsense/scripts/qfeeds #

I did have to use:
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py
instead of
/usr/local/opnsense/scripts/qfeedsctl.py
to run the three commands

Lurick, you have company I have the same problem.

Have done: pkg remove/pkg add

The problem remains.

QuoteI did have to use:
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py
instead of
/usr/local/opnsense/scripts/qfeedsctl.py
to run the three commands

Aah yes that was my mistake. The commands show the expected behavior.. you've tried a reboot already I guess ?

Or this "service configd restart"

Quote from: Q-Feeds on October 11, 2025, 03:41:36 PM

QuoteI did have to use:
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py
instead of
/usr/local/opnsense/scripts/qfeedsctl.py
to run the three commands

Aah yes that was my mistake. The commands show the expected behavior.. you've tried a reboot already I guess ?

Or this "service configd restart"

service configd restart didn't fix it but a firewall reboot did :)

Installed and working

Reboot worked here too, all three tabs show and working properly.

Thanks

Glad it worked out in the end !

Having worked through my process mentioned earlier, I have Q-Feeds working on my edge Opnsense on 25.7.5, and blocking stuff, apparently usefully. Now to questions around purchasing.

I notice on the Q-Feeds dashboard that I have access to Premium IPs, Domains, and URLs. The first of those, IPs, is available in the Plus (99€) package but URLs and Domains require the full Premium package, 249€. That is, after a Plus purchase and expiry of the testing phase, blocking will be worse than it is now. Is it possible to distinguish what proportion of current blocks are based on which list (/ tier)?

The tier for Plus includes support and allows 1-49 users, more people than the average family. Have you considered a tier without support for 1-5 users, a common home setup and licensing tier?

Why is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when everything has already been applied?

A query for anyone knowledgeable rather than specifically for Q-Feeds:
In some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP. While Opnsense blocks these anyway, it implies an internal address has leaked. Would BIND DNS answer such a query from the outside when the only useful answer is the external IP? Is my BIND in a knot? Is there some other interpretation? My Q-Feeds rules are standard, blocking malware sources on WAN only, malware destinations from internal LANs only.

For clarification, I now use Unbound for all internal DNS queries including redirection to the server while BIND on the server is the source for my domain address (external query).

Quote from: passeri on October 12, 2025, 03:32:25 AMHaving worked through my process mentioned earlier, I have Q-Feeds working on my edge Opnsense on 25.7.5, and blocking stuff, apparently usefully. Now to questions around purchasing.

I notice on the Q-Feeds dashboard that I have access to Premium IPs, Domains, and URLs. The first of those, IPs, is available in the Plus (99€) package but URLs and Domains require the full Premium package, 249€. That is, after a Plus purchase and expiry of the testing phase, blocking will be worse than it is now. Is it possible to distinguish what proportion of current blocks are based on which list (/ tier)?

The tier for Plus includes support and allows 1-49 users, more people than the average family. Have you considered a tier without support for 1-5 users, a common home setup and licensing tier?

Hi Passeri,

Thanks for your feedback!

As for now the widget on the TIP is broken. The number of IOCs shown does not represent the actual number of IOCs delivered and it shows premium to anyone, this is a known issue. So if you haven't bought a license you're most likely on the community edition.

At the moment that is not possible but I think it's great feedback to split them up, we'll take it in consideration. That said premium doesn't automatically mean more blocks but it does contain fresher and -in most cases- more severe IOCs. Think about APT groups and that kind of threats.

At what price point do you think such a package should be? And then only including Premium IP, no threat lookup and support?

Quote from: Q-Feeds on October 12, 2025, 09:57:05 AMHi Passeri,

Thanks for your feedback!

As for now the widget on the TIP is broken. The number of IOCs shown does not represent the actual number of IOCs delivered and it shows premium to anyone, this is a known issue. So if you haven't bought a license you're most likely on the community edition.

At the moment that is not possible but I think it's great feedback to split them up, we'll take it in consideration. That said premium doesn't automatically mean more blocks but it does contain fresher and -in most cases- more severe IOCs. Think about APT groups and that kind of threats.

At what price point do you think such a package should be? And then only including Premium IP, no threat lookup and support?

I assumed threat lookup would be included. Without it, 15€, with it 40€, no support, limit of 5 users but how would that be counted, I realise. That means (with threat lookup) your own benefit amounts only to the support load avoided. I fear my idea is sinking fast. :-)

Quote from: passeri on October 12, 2025, 10:31:56 AMI assumed threat lookup would be included. Without it, 15€, with it 40€, no support, limit of 5 users but how would that be counted, I realise. That means (with threat lookup) your own benefit amounts only to the support load avoided. I fear my idea is sinking fast. :-)

I get it but I'm afraid we keep it this way. We do have our costs to the paid feeds as well which is defined per user package. The benefit is that you can invite a lot people on your guest network within the Plus package :-)

Btw we've repaired the widgets so the number showing in the TIP should be corresponding with the widget on your OPNsense instance.

Quote from: passeri on October 12, 2025, 03:48:28 AMIn some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP.

Check your rule set. NAT rules are applied before filter rules! So an inbound NAT port forward, maybe?

I'm very interested in any new capabilities that can enhance security, but looking to understand this a little better for home network use and value before I try it out.

The paid version gives proprietary, professional feeds which is great... For the free version it utilizes strictly open source feeds, correct? If so, which open source feeds are being utilized (I couldn't find it in the Q-Feeds knowledge center)? What is the added value in using a Q-Feeds plugin to manage this rather than adding these firewall and dns block lists yourself, separately without a plugin?

Quote from: irrenarzt on October 12, 2025, 03:24:59 PMI'm very interested in any new capabilities that can enhance security, but looking to understand this a little better for home network use and value before I try it out.

The paid version gives proprietary, professional feeds which is great... For the free version it utilizes strictly open source feeds, correct? If so, which open source feeds are being utilized (I couldn't find it in the Q-Feeds knowledge center)? What is the added value in using a Q-Feeds plugin to manage this rather than adding these firewall and dns block lists yourself, separately without a plugin?

That would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

We also look at how frequently a specific IOC f.e appears across our sources. If it's found everywhere, we usually don't include it. Not because it's harmless, but because it's already covered by all the other solutions, like your browser or antivirus. So adding it again wouldn't add any real value. These and many other correlations help shape the curated feed we deliver.

Quote from: Q-Feeds on October 12, 2025, 05:00:50 PMbut because it's already covered by all the other solutions, like your browser or antivirus

Haha, not sure about others but, Linux user here (Servers, Desktops and I would put it on my dog if he did support it) ;). Also Antivirus programs today are more like a spyware...

Regards,
S.

Quote from: Seimus on October 12, 2025, 05:30:25 PM

Quote from: Q-Feeds on October 12, 2025, 05:00:50 PMbut because it's already covered by all the other solutions, like your browser or antivirus

Haha, not sure about others but, Linux user here (Servers, Desktops and I would put it on my dog if he did support it) ;). Also Antivirus programs today are more like a spyware...

Regards,
S.

True, Linux is generally more secure and less targeted than Windows but it's definitely not immune.
There are plenty of active threats targeting Linux servers today, especially in the context of botnets and cryptominers. For example:

• Mirai and variants: brute-forcing SSH or exploiting weak IoT setups.
• Kinsing / P2PInfect: abusing Docker and Redis misconfigurations to deploy cryptominers.
• Kaiji and Tsunami: malware families designed specifically for Linux to perform DDoS attacks.
• QNAPCrypt / RansomEXX: ransomware that encrypts data on Linux systems.

Q-Feeds helps block the command-and-control servers, download URLs, and malicious IPs tied to these campaigns before they can interact with your systems. So even for hardened Linux setups, there's a value in filtering known bad traffic at the network layer.

Quote from: Q-Feeds on October 12, 2025, 11:14:56 PMSo even for hardened Linux setups, there's a value in filtering known bad traffic at the network layer.

Not arguing about, that's one of the reasons why many of us are running FWs like OPNsense at home, or DNS blackholes like PiHole & Adguard ~ granularity and control.

Thats why Q-Feeds is an interesting addition. Proactive prevention is better than reactive action.

Regards,
S.

Quote from: Patrick M. Hausen on October 12, 2025, 02:00:57 PM

Quote from: passeri on October 12, 2025, 03:48:28 AMIn some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP.

Check your rule set. NAT rules are applied before filter rules! So an inbound NAT port forward, maybe?

I checked all NAT rules carefully and they seem good, allowing only certain ports specifically on the public IP. In general terms all my rules are whitelist over default deny. I will do a second tracing later today.

This is not a Q-Feeds thing so I will raise anything else about it elsewhere. The "problem" (given all such attacks are blocked anyway) could simply arise from an internal address leaking in some other e-mailed document at some point over the last 25 years during which that address has existed.

This earlier query from me has no response from Q-Feeds yet.

Quote from: passeri on October 12, 2025, 03:48:28 AMWhy is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

Having logged in to Q-Feeds web page I purchased a one year licence. At the top of the checkout page it invited me to login if I had purchased anything before. I had not, and had already logged in, so I proceeded, to find that I have now been sent a new account login.

Firstly you need a warning that being logged in does not mean the payment page thinks you are logged in. Secondly, please mention that getting a community key for testing represents a "purchase".

I will e-mail about trying to get the new account merged into the old.

Quote from: passeri on October 13, 2025, 12:58:44 AMThis earlier query from me has no response from Q-Feeds yet.

Quote from: passeri on October 12, 2025, 03:48:28 AMWhy is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

In all modern pages the Apply button does not disappear after an apply, thats intentional design.

If I open Rules, for example, no Apply button appears. If I create or modify a rule, then I can Save or Cancel. Afterwards, "Apply changes" appears.

Having Apply when there has been no change is not currently uniform practice and brings no advantage I can observe, whereas it can add confusion in that it implies that something changed, which might or might not be true.

The apply button vanishes in non mvc pages like interfaces and the firewall rules.

But if you check the new Firewall - Automation - Filter or any other new page (dnsmasq, kea, ipsec connections, openvpn, wireguard...) the apply button is always there.

Quote from: passeri on October 12, 2025, 03:48:28 AMWhy is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

As Cedrik pointed out this is in most cases the OPNsense standard. That said on the 'Feeds' and 'Events' tab it doesn't make sense to show an apply button since there's nothing to apply anyway.

Quote from: passeri on October 13, 2025, 03:04:22 AMHaving logged in to Q-Feeds web page I purchased a one year licence. At the top of the checkout page it invited me to login if I had purchased anything before. I had not, and had already logged in, so I proceeded, to find that I have now been sent a new account login.

Firstly you need a warning that being logged in does not mean the payment page thinks you are logged in. Secondly, please mention that getting a community key for testing represents a "purchase".

I will e-mail about trying to get the new account merged into the old.

Hi Passeri,

This is great feedback and sorry for the confusion about the account creation. The website and checkout pages are currently not using the same login system as the TIP, that's why a new account was created. We will look into this!

Quote from: Q-Feeds on October 13, 2025, 08:09:44 AMHi Passeri,

This is great feedback and sorry for the confusion about the account creation. The website and checkout pages are currently not using the same login system as the TIP, that's why a new account was created. We will look into this!

All is installed and working thank you.

Quote from: Monviech (Cedrik) on October 13, 2025, 06:35:46 AMThe apply button vanishes in non mvc pages like interfaces and the firewall rules.

But if you check the new Firewall - Automation - Filter or any other new page (dnsmasq, kea, ipsec connections, openvpn, wireguard...) the apply button is always there.

Yes, but my query is why? I am simply curious. What problem is solved by having Apply ever-present and active regardless of relevance? The risks might be mild, over-use with sometimes long delays for superfluous updates, or more severe, neglecting to use it when needed. These are avoidable on the traditional basis that Save appears (or is enabled) when necessary and not otherwise, a useful flag.

If the new paradigm were to make it ever-present then there ought to be a flag on each such page to indicate whether the page is dirty.

Hello,

can you add me also to your testers list.

Thanks

Quote from: mschaeffler on October 13, 2025, 11:17:55 AMHello,

can you add me also to your testers list.

Thanks

It is already open. Here are instructions: https://forum.opnsense.org/index.php?msg=249660

Hello, excuse me if this is a stupid question but can you please explain why for the LAN firewall rule the direction is IN?

Thanks!

Because a packet from a host on the LAN network is coming IN to the firewall through the LAN interface. IN and OUT are from the interface point of view.

Security: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

Q-Feeds_Events.png

Quote from: Maurice on October 13, 2025, 07:13:55 PMSecurity: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

Q-Feeds_Events.png

I am seeing the same, no interface and every event twice.

Quote from: Patrick M. Hausen on October 13, 2025, 06:56:43 PMBecause a packet from a host on the LAN network is coming IN to the firewall through the LAN interface. IN and OUT are from the interface point of view.

Thanks Patrick!

Quote from: Q-Feeds on October 12, 2025, 05:00:50 PMThat would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

I used to block via freely available lists and now that I activated your plugin I put that "block based on free lists" rule after the Q-Feeds one.

Result: for 100 blocked connections 72 are caught by Q-Feeds and still 28 by the free lists.

My free lists are:

FireHOL1
FireHOL2
FireHOL3
Spamhaus DROP
Spamhaus DROP6
Herr Bischoff's IP blocklist (https://ipbl.herrbischoff.com/list.txt)

Surprised at least FireHOL and Spamhaus are apparently not included in your feed?

Kind regards,
Patrick

P.S. I can send you a list of addresses if you want to investigate. And of course these numbers vary a bit over time, but roughly 25-30% make it past your feeed and are caught by my other block lists.

Quote from: Maurice on October 13, 2025, 07:13:55 PMSecurity: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

Quote from: wbennett on October 13, 2025, 07:40:42 PMI am seeing the same, no interface and every event twice.

Well it wasn't known, so thank you for reporting!

Quote from: Patrick M. Hausen on October 13, 2025, 08:22:13 PM

Quote from: Q-Feeds on October 12, 2025, 05:00:50 PMThat would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

P.S. I can send you a list of addresses if you want to investigate. And of course these numbers vary a bit over time, but roughly 25-30% make it past your feeed and are caught by my other block lists.

It would definitely be interesting to see which IOCs got past our lists. As mentioned we do quite some processing on all the feeds we have so maybe we need to make some adjustments. Or maybe they're not interesting enough :) Happy to investigate !

I'll send you a DM with as much entries as the Live View allows.

Anyway I thought including FireHOL and Spamhaus by default would be a no-brainer. Reputable open sources.

Kind regards,
Patrick

Quote from: Patrick M. Hausen on October 13, 2025, 09:15:57 PMI'll send you a DM with as much entries as the Live View allows.

Anyway I thought including FireHOL and Spamhaus by default would be a no-brainer. Reputable open sources.

Kind regards,
Patrick

Thanks a lot! Please give us a few days to have a look at it. Well the interesting part is that we do monitor those lists, but we process feeds, not just copy and paste everything in our feed. FYI we monitor over 70 million IOCs in our backend (and counting).

Quote from: wbennett on October 13, 2025, 07:40:42 PM

Quote from: Maurice on October 13, 2025, 07:13:55 PMSecurity: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

Q-Feeds_Events.png

I am seeing the same, no interface and every event twice.

More information will be needed. Mine operates normally, populating the interface and without duplication.

I use a DEC697 and have no extras beyond Q-Feeds Plus and Crowdsec free.

Pretty basic setup.

The firewall rules are:
block drop in log quick on vtnet0 inet from <__qfeeds_malware_ip:667695> to any
block drop in log quick on vtnet0 inet6 from <__qfeeds_malware_ip:667695> to any

Events are only duplicated in Security: Q-Feeds Connect: Events. They show up correctly (only once) in Firewall: Log Files: Plain View.

vtnet0 is the WAN interface:

wan config.png

Firewall: Rules: Floating

On Rule 1: Interface (LAN) only no other.

On Rule 2: Interface (WAN) only no other.

Had the same problem, in my case I had (LAN WG0) and (WAN WG0) removed (WG0) on both
now I get all single entries.

Note: After you make the change Events will lose all its entries, it takes around
5-10 minutes before new entries re-appear one at a time.

I also have TCP/IP Version: (IPv4) only as choice.

I experimented with Threat Lookup using the first couple of entries in the Events list, i.e. the most recent. One of those IPs, 118.38.108.242, returned no results?

Does that mean it is not on or no longer on any threat list or it is but nobody knows why it is there?

Quote from: passeri on October 14, 2025, 03:09:21 AMI experimented with Threat Lookup using the first couple of entries in the Events list, i.e. the most recent. One of those IPs, 118.38.108.242, returned no results?

Does that mean it is not on or no longer on any threat list or it is but nobody knows why it is there?

That is interesting! That IP is not in our database (anymore).

Quote from: Patrick M. Hausen on October 13, 2025, 08:22:13 PM

Quote from: Q-Feeds on October 12, 2025, 05:00:50 PMThat would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

I used to block via freely available lists and now that I activated your plugin I put that "block based on free lists" rule after the Q-Feeds one.

Result: for 100 blocked connections 72 are caught by Q-Feeds and still 28 by the free lists.

My free lists are:

FireHOL1
FireHOL2
FireHOL3
Spamhaus DROP
Spamhaus DROP6
Herr Bischoff's IP blocklist (https://ipbl.herrbischoff.com/list.txt)

Surprised at least FireHOL and Spamhaus are apparently not included in your feed?

Kind regards,
Patrick

P.S. I can send you a list of addresses if you want to investigate. And of course these numbers vary a bit over time, but roughly 25-30% make it past your feeed and are caught by my other block lists.

I also noticed the same thing. Can assist if needed.

Quote from: Patrick M. Hausen on October 13, 2025, 09:15:57 PMAnyway I thought including FireHOL and Spamhaus by default would be a no-brainer. Reputable open sources.

When I was setting up my blocklists some time ago I was curious which FireHOL level to use and did some digging.

I noticed that quite a few source lists in there are stale. Some have changed the URL or format or are not (publicly) available anymore.

Since FireHOL keeps the last available copy of all sources in its own repo, that means (for better or worse) that it probably contains a lot of IPs that at some point were part of a source blocklist but aren't anymore.

I use these:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset
https://www.spamhaus.org/drop/drop_v4.json
https://www.spamhaus.org/drop/drop_v6.json
https://ipbl.herrbischoff.com/list.txt

All actively maintained and current, it seems.

We've checked the logs you've send over and here are our first findings:

• High false positive risk IOCs: Some of the addresses weren't included in our feed because they score high on false-positive risk. For example, GitHub IPs, Google bots, and other cloud infrastructure. While blocking these could work in some setups, it could disrupt others. We intentionally exclude them to reduce potential support pressure and avoid accidental outages. This ensures our feed is reliable for a wide range of users rather than only aggressive environments.
• FireHOL lists: FireHOL contains very large subnets, which can cause a lot of false positives. They themselves recommend using their lists for enrichment rather than direct blocking if I'm not mistaken.. Blocking whole /16 or /8 subnets is extremely risky for production networks, which is why our feed focuses on more precise, actionable IOCs. It does create a lot of hits though ;-)
• Warning for those unfamiliar: FireHOL 1 also contains RFC1918 private addresses never use it outside of WAN interfaces unless you know what you're doing.
• Older known IOCs: Some addresses were excluded because they've been known for a long time and are often already mitigated by other protections. We've adjusted our algorithms to stretch coverage safely where it makes sense, but the goal is always to maximize real threat protection without introducing unnecessary noise.
• Focus on real threats: The "missing" addresses are mostly potentially unwanted traffic but not truly dangerous. Our feed prioritizes high-confidence threats as much as possible, so users aren't blocked by mass "noise" like search engine bots, proxies, or reused cloud IPs. Benchmarking purely by count can be misleading, blocking one actual APT attack is worth far more than tens of thousands of minor unwanted connections for us.
• Complementary lists: There's no "one list to rule them all." Q-Feeds is optimized for precision, but free lists like FireHOL or Spamhaus DROP can still be valuable for enrichment or as an extra layer for some situations and users. Using them together is a solid strategy.

That said, your feedback is very useful, and we can continue looking at those edge cases to improve coverage where it makes sense.
Thanks again for your detailed testing really helps us improve!

Turns out the Interface column in Security: Q-Feeds Connect: Events only shows the interface's (optional) description, not its identifier (lan / wan / opt[n]). If there is no description, the column remains empty.

This could be improved - show both or show the identifier if the interface doesn't have a description.

Quote from: Q-Feeds on October 14, 2025, 12:50:22 PMWe've checked the logs you've send over and here are our first findings:

• High false positive risk IOCs: Some of the addresses weren't included in our feed because they score high on false-positive risk. For example, GitHub IPs, Google bots, and other cloud infrastructure. While blocking these could work in some setups, it could disrupt others. We intentionally exclude them to reduce potential support pressure and avoid accidental outages. This ensures our feed is reliable for a wide range of users rather than only aggressive environments.
• FireHOL lists: FireHOL contains very large subnets, which can cause a lot of false positives. They themselves recommend using their lists for enrichment rather than direct blocking if I'm not mistaken.. Blocking whole /16 or /8 subnets is extremely risky for production networks, which is why our feed focuses on more precise, actionable IOCs. It does create a lot of hits though ;-)
• Warning for those unfamiliar: FireHOL 1 also contains RFC1918 private addresses never use it outside of WAN interfaces unless you know what you're doing.

Understood. I only block inbound connections on WAN via IP lists, not outbound connections. The latter I leave to DNS based blocking via AGH.

So no harm done, au contraire, rather, when cloud addresses and bots cannot access e.g. my Nextcloud.

Thanks for the quick and thorough analysis. I'll switch the order of rules around to see what percentage your service catches that FireHOL and Spamhaus don't. I'll report back.

Kind regards,
Patrick

Quote from: Maurice on October 14, 2025, 03:29:35 PMTurns out the Interface column in Security: Q-Feeds Connect: Events only shows the interface's (optional) description, not its identifier (lan / wan / opt[n]). If there is no description, the column remains empty.

This could be improved - show both or show the identifier if the interface doesn't have a description.

Thanks for catching this!

Quote from: Maurice on October 14, 2025, 03:29:35 PMSecurity: Q-Feeds Connect: Events

Where exactly is that, please? OPNsense or TIP? Could not find it.

Quote from: Patrick M. Hausen on October 14, 2025, 03:52:00 PM

Quote from: Maurice on October 14, 2025, 03:29:35 PMSecurity: Q-Feeds Connect: Events

Where exactly is that, please? OPNsense or TIP? Could not find it.

That's in the OPNsense plugin; we've released an update ;)  https://forum.opnsense.org/index.php?topic=49123.msg249660#msg249660

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-1.1.pkg

!!   Another Update   !!

Today we launch another version including DNS (Unbound) support. For this to work you can set the setting in the Q-Feeds Plugin. It's also important that Unbound is enabled with Blocklists enabled as well. There's no need to select a list within the Unbound plugin but you can always select extra lists.

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-1.1.pkg
We are also included in the business edition release of tomorrow. As the first launch you can find us with the 'community' plugins.

Quote from: Q-Feeds on October 14, 2025, 08:58:12 PMThere's no need to select a list within the Unbound plugin but you can always select extra lists.

The last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

Quote from: Q-Feeds on October 14, 2025, 03:48:15 PM

QuoteThis could be improved - show both or show the identifier if the interface doesn't have a description.

Thanks for catching this!

This is now fixed in 1.1. The events list displays interface identifiers for interfaces without a description.

All events showing up twice is not fixed yet.

All,
    I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
    I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
    Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?

Zz00mm

Quote from: Maurice on October 15, 2025, 04:38:47 AMThe last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

Thx for spotting this, will get working on it! We were able to reproduce it.

Quote from: zz00mm on October 15, 2025, 04:59:43 AMAll,
    I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
    I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
    Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?

Zz00mm

Hi zz00mm,

The best way is indeed to have a separate API key for the 2nd node. We did make some changes just now to the rate limits, seemed that some accounts were to restrictive after our last change. If you send me your TIP username in a DM we can have a look at the logs.

Stefan

Quote from: Maurice on October 15, 2025, 04:52:53 AMThis is now fixed in 1.1. The events list displays interface identifiers for interfaces without a description.

All events showing up twice is not fixed yet.

Yes that's fixed indeed! We're investigating the double events although we're not able to reproduce yet.

Quick IP blocklist update

• Filtering inbound on WAN
• Free block lists: FireHOL (all levels), Spamhaus DROP and DROP6, "Herr Bischoff"
• Sample: 1000 blocked connection attempts

Q-Feeds first:

• Caught by Q-Feeds: 70%
• Caught by the free lists: 30%

Free lists first:

• Caught by the free lists: 93%
• Caught by Q-Feeds: 7%

So the free lists block a lot more than Q-Feeds does. Which is not a measure of quality as has already been argued.

I will keep both in place.

Quote from: Q-Feeds on October 15, 2025, 08:51:22 AMWe're investigating the double events although we're not able to reproduce yet.

Let me know if you need more details. The affected firewall rule is:

Interface: WAN (not floating)
Action: Block
Quick: Enabled
Direction: in
TCP/IP Version: IPv4+IPv6
Source: __qfeeds_malware_ip
Log: Enabled
Category: Q-Feeds

A typical match in Firewall: Log Files: Plain View looks like this:
66,,,22be69e209c065d36d4e0f11865de1dd,vtnet0,match,block,in,4,0x0,,241,2711,0,none,6,tcp,44,202.93.142.22,10.0.0.194,62182,443,0,S,486549660,,1025,,mss

Quote from: Maurice on October 15, 2025, 11:43:35 AM

Quote from: Q-Feeds on October 15, 2025, 08:51:22 AMWe're investigating the double events although we're not able to reproduce yet.

Let me know if you need more details. The affected firewall rule is:

Interface: WAN (not floating)
Action: Block
Quick: Enabled
Direction: in
TCP/IP Version: IPv4+IPv6
Source: __qfeeds_malware_ip
Log: Enabled
Category: Q-Feeds

A typical match in Firewall: Log Files: Plain View looks like this:

Code Select Expand

66,,,22be69e209c065d36d4e0f11865de1dd,vtnet0,match,block,in,4,0x0,,241,2711,0,none,6,tcp,44,202.93.142.22,10.0.0.194,62182,443,0,S,486549660,,1025,,mss

Does this command also output duplicates?
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs

I see a lot of "duplicate" hits as well but that's the nature of networking and retries, in my case it happens sometimes with 8 hits after each other. But they don't seem to be displayed 'twice' if you understand what I mean.

Quote from: Patrick M. Hausen on October 15, 2025, 11:20:54 AMQuick IP blocklist update

• Filtering inbound on WAN
• Free block lists: FireHOL (all levels), Spamhaus DROP and DROP6, "Herr Bischoff"
• Sample: 1000 blocked connection attempts

Q-Feeds first:

• Caught by Q-Feeds: 70%
• Caught by the free lists: 30%

Free lists first:

• Caught by the free lists: 93%
• Caught by Q-Feeds: 7%

So the free lists block a lot more than Q-Feeds does. Which is not a measure of quality as has already been argued.

I will keep both in place.

Nice Patrick! Thank you for these insights!

Yes, qfeedsctl.py logs also outputs duplicates. Not sometimes, but always. And always exactly two times the same entry, never more.

I'm pretty sure this happens when the Q-Feeds plugin parses the firewall logs; the raw logs in /var/log/filter/ don't contain duplicates.

Quote from: Maurice on October 15, 2025, 06:18:50 PMYes, qfeedsctl.py logs also outputs duplicates. Not sometimes, but always. And always exactly two times the same entry, never more.

I'm pretty sure this happens when the Q-Feeds plugin parses the firewall logs; the raw logs in /var/log/filter/ don't contain duplicates.

Thanks a lot! We've found it, and apparently I was looking at the same behavior all the time but in my case it was x6 because of multiple interfaces in my rule.. That said we will make sure it's solved in the next release. fyi: https://github.com/opnsense/plugins/commit/9432d3e4d906c0b039fc400ab691342c9a1a7f70

Quote from: Maurice on October 15, 2025, 04:38:47 AM

Quote from: Q-Feeds on October 14, 2025, 08:58:12 PMThere's no need to select a list within the Unbound plugin but you can always select extra lists.

The last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

And thanks a lot for this one as well! Will be solved in the next release as well: https://github.com/opnsense/plugins/pull/4979

Here you can find the latest package with the bug fixes for Unbound and the Events page:

pkg add -f https://qfeeds.com/os-q-feeds-connector-1.1_2.pkg
For those new:

Login via ssh as root (or using sudo), and run the command above.
The manual can be found here: https://qfeeds.com/opnsense/ (https://qfeeds.com/opnsense/) on the bottom of the page.

(The dns instructions will be added soon)

Quote from: Q-Feeds on October 16, 2025, 02:26:28 PMHere you can find the latest package with the bug fixes for Unbound and the Events page

Both fixes work as intended, thanks!

(In the Unbound settings, I had to reapply the DNSBLs and restart the service for it to merge and load the lists.)

Did the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

Quote from: Lurick on October 17, 2025, 03:09:19 PMDid the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

That's severe! Can you share some logs? Which blocks have been registered?

Quote from: Q-Feeds on October 17, 2025, 03:13:39 PM

Quote from: Lurick on October 17, 2025, 03:09:19 PMDid the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

That's severe! Can you share some logs? Which blocks have been registered?

Just reverted the set (temporary) from a few hours ago, yet I'm not able to reproduce your problem without a bit more information. If you pull the list now it should solve.

Quote from: Q-Feeds on October 17, 2025, 03:13:39 PM

Quote from: Lurick on October 17, 2025, 03:09:19 PMDid the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

That's severe! Can you share some logs? Which blocks have been registered?

It seemed to be blocking everything outbound from the LAN interface, from 192.168.0.0/16
Which logs should I collect to help narrow this down?

(https://i.imgur.com/fko1YnL.png)

(https://i.imgur.com/r3uwIq0.png)

Quote from: Lurick on October 17, 2025, 03:34:57 PM(https://i.imgur.com/fko1YnL.png)

(https://i.imgur.com/r3uwIq0.png)

Thx! Still investigating but can't seem to find any RFC IOCs in our list. Which shouldn't either of course!

Hey guys,

Can you tell me why did you pushed into your TI subnets

0.0.0.0/1
64.0.0.0/2

This caused a huge network outage and blocked everything..
This as well caused the issues described above...

Regards,
S.

We've learned a valuable lesson just now. One of our premium suppliers pushed two IP Adresses into our list:

64.52.80.21/2
64.52.80.21/1

We do have several filters to filter False Positives and RFC related stuff. Unfortunately we were not prepared for IOCs as shown above.
As you've already experienced this caused a major disruption. We're really sorry for it, and obviously we'll take extensive measures to prevent this in the future.

Thank you very much for letting us know, it helps us to react quickly and improve our services. Once more very sorry for the disruption it has caused!

This was nasty,

Please be careful with such things pushing into TIs. As this is one of the things that should NEVER HAPPEN.

Also keep in mind not many users are able to restore their connectivity using the console. So this could result into a hard-lock.

Regards,
S.

Quote from: Seimus on October 17, 2025, 05:01:50 PMThis was nasty,

Please be careful with such things pushing into TIs. As this is one of the things that should NEVER HAPPEN.

Also keep in mind not many users are able to restore their connectivity using the console. So this could result into a hard-lock.

Regards,
S.

Can't agree more! And thank you for staying polite... ;-) This was a huge one and we promise take measures against it!

Quote from: Q-Feeds on October 17, 2025, 05:08:58 PMCan't agree more! And thank you for staying polite... ;-) This was a huge one and we promise take measures against it!

Indeed there is no reason to be rude, my comment was in good will, so I am glad it didn't sounded like I am going to burn a farm.

Can happen to anyone, there is saying we like to use in work;

Quote"Trust but verify."
          - Bunch of tired engineers

Quote from: Seimus on October 17, 2025, 05:16:15 PM

Quote from: Q-Feeds on October 17, 2025, 05:08:58 PMCan't agree more! And thank you for staying polite... ;-) This was a huge one and we promise take measures against it!

Indeed there is no reason to be rude, my comment was in good will, so I am glad it didn't sounded like I am going to burn a farm.

Can happen to anyone, there is saying we like to use in work;

Quote"Trust but verify."
          - Bunch of tired engineers

Haha you're absolutely right, but I can imagine some nasty words came up your mind when this happend.. ;)
That said it was panic on our side as you can imagine and we might put that saying up on our wall :D

Quote from: Q-Feeds on October 17, 2025, 05:18:57 PMHaha you're absolutely right, but I can imagine some nasty words came up your mind when this happend.. ;)

It was more of an initial surprise "wtf did I do this time" cause I am lately doing a lot of implementations

Quote from: Q-Feeds on October 17, 2025, 05:18:57 PMThat said it was panic on our side as you can imagine and we might put that saying up on our wall :D

Feel free :), if nothing at least some fun.

Regards,
S.

Quick question and two requests.

I try to access the main q-feeds page to access the account https://qfeeds.com/my-account (not speaking about TIP). But its not working getting Error 406.
Same happens now for some reason for https://qfeeds.com. TIP works okay.


R1: The subscription management looks like is on a different system from TIP. Would not be it better if subscription management is handled as well from the TIP?
As the license is there anyway?

R2: When we have multiples API keys, checking the API logs from TIP does not clearly state what API key did what. There is a key ID but that ID isnt clearly showing which key is which. Would it be possible for that specific ID associate the Description? Or include that ID in the API key management.

Regards,
S.

Quote from: Seimus on October 17, 2025, 07:28:39 PMQuick question and two requests.

I try to access the main q-feeds page to access the account https://qfeeds.com/my-account (not speaking about TIP). But its not working getting Error 406.
Same happens now for some reason for https://qfeeds.com. TIP works okay.


R1: The subscription management looks like is on a different system from TIP. Would not be it better if subscription management is handled as well from the TIP?
As the license is there anyway?

R2: When we have multiples API keys, checking the API logs from TIP does not clearly state what API key did what. There is a key ID but that ID isnt clearly showing which key is which. Would it be possible for that specific ID associate the Description? Or include that ID in the API key management.

Regards,
S.

Hi S.

That's exactly what we thought, that said the integration of the subscription management pages and the TIP is actually already in development.
For the logging, that's a great idea as well! I've added it to the list!

That 406 error is interesting! We'll start investigating.
Edit: Solved, a bit too restrictive WAF.

Quote from: Q-Feeds on October 17, 2025, 07:47:33 PMEdit: Solved, a bit too restrictive WAF.

Thanks!

Now I can access it but... When I fill in the creds I get:

QuoteThere has been a critical error on this website.

Looks like I am being unlucky today.

Regards,
S.

Quote from: Seimus on October 17, 2025, 08:08:37 PM

Quote from: Q-Feeds on October 17, 2025, 07:47:33 PMEdit: Solved, a bit too restrictive WAF.

Thanks!

Now I can access it but... When I fill in the creds I get:

QuoteThere has been a critical error on this website.

Looks like I am being unlucky today.

Regards,
S.

haha Murphy's law... Funny thing was that this was caused by a part of the integration between the website and the TIP which is already implemented in the background. That said it's solved now, you should be able to login. Now fingers crossed for the next issue haha

Yea, I tent to be unlucky when I don't try to do anything bad....

Can confirm it works now. Many thanks for fixing it so quickly!

Regards,
S.

Quote from: Seimus on October 17, 2025, 08:19:47 PMYea, I tent to be unlucky when I don't try to do anything bad....

Can confirm it works now. Many thanks for fixing it so quickly!

Regards,
S.

On our end it seems to go the other way around today... :D
Thanks for letting us know and your support!

I am seeing many blocks, all to the WAN interface but not a single block from the LAN. Is this normal behaviour or is there something I messed up?

Quote from: wbennett on October 18, 2025, 12:16:11 AMI am seeing many blocks, all to the WAN interface but not a single block from the LAN. Is this normal behaviour or is there something I messed up?

It means you're behaving yourself, your devices probably aren't part of a botnet, you likely don't have any viruses, and your LAN's in good health 😄
Jokes aside, that's expected behavior. Most bad traffic comes from the outside, and if you're not seeing outbound blocks, that's actually a good sign.

Well, bought the Plus license. I like the overall premise + bonus points for listening to the community.

Cant say as a community we have always the best or brightest ideas, but so far changes made based on community feedback were very welcome. I hope this cooperation between Q-Feeds and community will continue.

Regards,
S.

Qfeeds,
      the Q-Feeds widget on the dashboard show's IP's are being block, right now 1633
      Security-> Q-Feeds Connect -> Events: shows nothing.
      qfeedsctl.py logs via command line: output show nothing.
      cat /var/log/filter/latest.log | grep block: does show IPs being blocked on em1 (WAN)
      What information can I provide to troubleshoot this?
      Config:
      running os-q-feeds-connecter-1.1_2, GUI plugin shows version 1.1 not 1.1_2
      completely uninstalled and reinstalled version 1.1_2 just to doublecheck myself.
      2 Node HA cluster
      10 vLANs internal network

Zz00mm

qfeedsctl.py stats:
{"feeds":[{"name":"malware_ip","total_entries":491863,"packets_blocked":16765,"bytes_blocked":791023,"addresses_blocked":1645}],"totals":{"entries":491863,"addresses_blocked":1645,"packets_blocked":16765,"bytes_blocked":791023}}
qfeedsctl.py logs:
{"rows":[]}
qfeedsctl.py show_index:
{"company_info":{"id":106,"name":"xxxxxxx Company","token_expiration":null,"p                                                                                       remium_access":false},"security_settings":{"rate_limit_window":10,"allowed_ips":                                                                                       "*","allowed_user_agents":"*"},"licensing_summary":{"features":{"total":5,"licen                                                                                       sed":0,"unlicensed":5},"feeds":{"total":3,"licensed":3,"unlicensed":0}},"feature                                                                                       s":[{"id":1,"name":"attack_surface","description":"Access to the External Attack                                                                                       -Surface Management functionality.","licensed":false},{"id":6,"name":"manage_api                                                                                       _key_settings","description":"Allows users to edit advanced settings for API key                                                                                       s, such as IP restrictions, feed access, and rate limits.","licensed":false},{"i                                                                                       d":3,"name":"manage_users","description":"Ability to create, edit, and delete su                                                                                       b-users.","licensed":false},{"id":7,"name":"support","description":"Access to su                                                                                       pport ticketing system and false positive reporting","licensed":false},{"id":4,"                                                                                       name":"threat_lookup","description":"Access to the Threat-Intelligence lookup fu                                                                                       nctionality.","licensed":false}],"feeds":[{"id":9,"feed_type":"malware_ip","type                                                                                       ":"ip","description":"Malicious IP addresses","created_at":"2024-09-02T12:00:00Z                                                                                       ","updated_at":"2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19                                                                                       T00:17:31Z","licensed":true,"local_filename":"\/var\/db\/qfeeds-tables\/malware_                                                                                       ip.txt","updated_at_dt":1760745600.0,"next_update_dt":1760833051.0},{"id":10,"fe                                                                                       ed_type":"malware_domains","type":"domains","description":"Malicious domain name                                                                                       s","created_at":"2024-09-02T12:00:00Z","updated_at":"2025-10-18T00:00:00Z","freq                                                                                       uency":1200,"next_update":"2025-10-19T00:17:31Z","licensed":true,"local_filename                                                                                       ":"\/var\/db\/qfeeds-tables\/malware_domains.txt","updated_at_dt":1760745600.0,"                                                                                       next_update_dt":1760833051.0},{"id":11,"feed_type":"phishing_urls","type":"urls"                                                                                       ,"description":"Phishing URLS","created_at":"2024-09-02T12:00:00Z","updated_at":                                                                                       "2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19T00:17:31Z","li                                                                                       censed":true,"local_filename":"\/var\/db\/qfeeds-tables\/phishing_urls.txt","upd                                                                                       ated_at_dt":1760745600.0,"next_update_dt":1760833051.0}]}

Currently I am getting an error "An error occurred while searching" while trying to do a threat lookup. Tried three different blocked IPs. When I then went to History those searches are present with results, including the one I did twice, so the error message appears to be an error.

Consistent with the fact of an error message, available searches did not decrement.

A separate cosmetic query: I do not mind seeing time stamps in the European zone, but is there anything to be done to see those dates in a format which is not American? ISO format would cover all territories more sensibly.

Quote from: zz00mm on October 18, 2025, 03:58:37 AMQfeeds,
      the Q-Feeds widget on the dashboard show's IP's are being block, right now 1633
      Security-> Q-Feeds Connect -> Events: shows nothing.
      qfeedsctl.py logs via command line: output show nothing.
      cat /var/log/filter/latest.log | grep block: does show IPs being blocked on em1 (WAN)
      What information can I provide to troubleshoot this?
      Config:
      running os-q-feeds-connecter-1.1_2, GUI plugin shows version 1.1 not 1.1_2
      completely uninstalled and reinstalled version 1.1_2 just to doublecheck myself.
      2 Node HA cluster
      10 vLANs internal network

Zz00mm

qfeedsctl.py stats:
{"feeds":[{"name":"malware_ip","total_entries":491863,"packets_blocked":16765,"bytes_blocked":791023,"addresses_blocked":1645}],"totals":{"entries":491863,"addresses_blocked":1645,"packets_blocked":16765,"bytes_blocked":791023}}
qfeedsctl.py logs:
{"rows":[]}
qfeedsctl.py show_index:
{"company_info":{"id":106,"name":"xxxxxxx Company","token_expiration":null,"p                                                                                       remium_access":false},"security_settings":{"rate_limit_window":10,"allowed_ips":                                                                                       "*","allowed_user_agents":"*"},"licensing_summary":{"features":{"total":5,"licen                                                                                       sed":0,"unlicensed":5},"feeds":{"total":3,"licensed":3,"unlicensed":0}},"feature                                                                                       s":[{"id":1,"name":"attack_surface","description":"Access to the External Attack                                                                                       -Surface Management functionality.","licensed":false},{"id":6,"name":"manage_api                                                                                       _key_settings","description":"Allows users to edit advanced settings for API key                                                                                       s, such as IP restrictions, feed access, and rate limits.","licensed":false},{"i                                                                                       d":3,"name":"manage_users","description":"Ability to create, edit, and delete su                                                                                       b-users.","licensed":false},{"id":7,"name":"support","description":"Access to su                                                                                       pport ticketing system and false positive reporting","licensed":false},{"id":4,"                                                                                       name":"threat_lookup","description":"Access to the Threat-Intelligence lookup fu                                                                                       nctionality.","licensed":false}],"feeds":[{"id":9,"feed_type":"malware_ip","type                                                                                       ":"ip","description":"Malicious IP addresses","created_at":"2024-09-02T12:00:00Z                                                                                       ","updated_at":"2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19                                                                                       T00:17:31Z","licensed":true,"local_filename":"\/var\/db\/qfeeds-tables\/malware_                                                                                       ip.txt","updated_at_dt":1760745600.0,"next_update_dt":1760833051.0},{"id":10,"fe                                                                                       ed_type":"malware_domains","type":"domains","description":"Malicious domain name                                                                                       s","created_at":"2024-09-02T12:00:00Z","updated_at":"2025-10-18T00:00:00Z","freq                                                                                       uency":1200,"next_update":"2025-10-19T00:17:31Z","licensed":true,"local_filename                                                                                       ":"\/var\/db\/qfeeds-tables\/malware_domains.txt","updated_at_dt":1760745600.0,"                                                                                       next_update_dt":1760833051.0},{"id":11,"feed_type":"phishing_urls","type":"urls"                                                                                       ,"description":"Phishing URLS","created_at":"2024-09-02T12:00:00Z","updated_at":                                                                                       "2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19T00:17:31Z","li                                                                                       censed":true,"local_filename":"\/var\/db\/qfeeds-tables\/phishing_urls.txt","upd                                                                                       ated_at_dt":1760745600.0,"next_update_dt":1760833051.0}]}

Hi zz00mm,

Could you share the following with me:

Check if Q-Feeds tables exist and contain entries:

   pfctl -t __qfeeds_malware_ip -T show | head -10
   pfctl -t __qfeeds_malware_ip -T show | wc -l

Check firewall rules for Q-Feeds table references:
  pfctl -sr | grep "<__qfeeds" | tail -5

Kind regards,

David

Quote from: passeri on October 18, 2025, 05:30:44 AMCurrently I am getting an error "An error occurred while searching" while trying to do a threat lookup. Tried three different blocked IPs. When I then went to History those searches are present with results, including the one I did twice, so the error message appears to be an error.

It seems this was an issue in the javascript presenting the results. This should be fixed now. Thanks for letting us know!

Quote from: passeri on October 18, 2025, 05:30:44 AMA separate cosmetic query: I do not mind seeing time stamps in the European zone, but is there anything to be done to see those dates in a format which is not American? ISO format would cover all territories more sensibly.

Totally agree! Thanks for this. We will add it to the list!

Quote from: passeri on October 18, 2025, 05:30:44 AMCurrently I am getting an error "An error occurred while searching" while trying to do a threat lookup. Tried three different blocked IPs. When I then went to History those searches are present with results, including the one I did twice, so the error message appears to be an error.

Consistent with the fact of an error message, available searches did not decrement.

A separate cosmetic query: I do not mind seeing time stamps in the European zone, but is there anything to be done to see those dates in a format which is not American? ISO format would cover all territories more sensibly.

Made some improvements on this; you can now set it to your own liking under 'account settings'. Also created a browser auto-detect function. That said it was a Saturday-morning (Europe/Amsterdam) quicky so please let me know if I missed a few timestamps :)

Quote from: Seimus on October 18, 2025, 02:03:50 AMWell, bought the Plus license. I like the overall premise + bonus points for listening to the community.

Cant say as a community we have always the best or brightest ideas, but so far changes made based on community feedback were very welcome. I hope this cooperation between Q-Feeds and community will continue.

Regards,
S.

Thank you very much Seimus, we will definitely do the best we can!

Quote from: Q-Feeds on October 18, 2025, 11:07:28 AMMade some improvements on this; you can now set it to your own liking under 'account settings'. Also created a browser auto-detect function. That said it was a Saturday-morning (Europe/Amsterdam) quicky so please let me know if I missed a few timestamps :)

Thank you, seems to work well. I found myself on Reykjavik time; Mullvad browser declines or fails to auto-detect but Safari does.

I see that you have even picked up on Eucla time, an unofficial zone, and an entry for Broken Hill in case they forget they are on Central not Eastern. The national capital is missing (same as Sydney and Melbourne times) though no-one pays Canberra much attention anyway so that is fine. :)

We're trying to be as inclusive as possible, even those on the legendary UTC+8:45 timezone 😄 I pulled all the timezones directly from PHP, so apparently they're not paying much attention to Canberra either! ;)

David

Please see below requested information.

Quote from: Q-Feeds on October 18, 2025, 10:28:20 AMCheck if Q-Feeds tables exist and contain entries:

   pfctl -t __qfeeds_malware_ip -T show | head -10

   1.0.0.4
   1.0.0.181
   1.0.0.187
   1.0.75.78
   1.0.138.92
   1.0.151.224
   1.0.152.138
   1.0.153.83
   1.0.153.159
   1.0.158.78

   pfctl -t __qfeeds_malware_ip -T show | wc -l

 491863

Check firewall rules for Q-Feeds table references:
  pfctl -sr | grep "<__qfeeds" | tail -5

block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"

Quote from: zz00mm on October 18, 2025, 03:31:35 PMPlease see below requested information.

   pfctl -t __qfeeds_malware_ip -T show | head -10

......

Aah I see the issue the "tag qtag" is causing issues. I've forwarded it to our developers. Thank you very much we will get back with a solution soon.

EDIT: confirmed fix in the latest commit. Will be part of official release.

Quote from: Q-Feeds on October 18, 2025, 05:12:32 PM

Quote from: zz00mm on October 18, 2025, 03:31:35 PMPlease see below requested information.

   pfctl -t __qfeeds_malware_ip -T show | head -10

......

Aah I see the issue the "tag qtag" is causing issues. I've forwarded it to our developers. Thank you very much we will get back with a solution soon.

EDIT: confirmed fix in the latest commit. Will be part of official release.



Update:
     Removing the tag didn't resolve the issue.
What I found:
     Since this is an HA configuration, I did the following.
     Removed inbound floating rule, created rule on WAN and inbound blocks started appearing
     Outbound floating rule, added WAN to the existing rule with the vLANs and outbound blocks started appearing

     I believe this is due to the way HA configurations work.
     I will install Q-Feeds on a standalone (non HA) firewall this week and see if it works with floating rules and without WAN in the outbound rule.

Zz00mm

UPDATE

The plugin has now been released with OPNSense version 25.7.6 and 25.10 .

Tiny note: 25.10 has the initial 1.0, but will get a hotfix tomorrow for 1.2 to sync up the code.


Cheers,
Franco

Maybe as well additional info for those who don't read patch notes ;)

Q-Feeds is as well officially documented in OPNsense docs.

https://docs.opnsense.org/manual/qfeeds.html

Regards,
S.

Out of curiosity and wanted to install the plugin also; I went to the qfeeds.com website.
Then when trying to create an account on: https://tip.qfeeds.com/views/auth/register.php
I clicked on [Terms of Service] and [Privacy Policy].
Both links give this error: https://tip.qfeeds.com/terms.php
You are offline

This page cannot be displayed because you are not connected to the internet.

Please check your connection and try again.

maybe we just don't need to read them and just singup :-), but good to know those are not working.

Quote from: RamSense on October 22, 2025, 08:05:00 PMOut of curiosity and wanted to install the plugin also; I went to the qfeeds.com website.
Then when trying to create an account on: https://tip.qfeeds.com/views/auth/register.php
I clicked on [Terms of Service] and [Privacy Policy].
Both links give this error: https://tip.qfeeds.com/terms.php

Code Select Expand

You are offline

This page cannot be displayed because you are not connected to the internet.

Please check your connection and try again.

maybe we just don't need to read them and just singup :-), but good to know those are not working.

haha we do support your recommendation to just signup :-D
That said obviously that's a mistake and will update the links asap. Seems nobody tried to read them during the testing period :)

EDIT: Fixed it. Thanks for letting us know!

Quote from: Seimus on October 22, 2025, 06:06:09 PMMaybe as well additional info for those who don't read patch notes ;)

Q-Feeds is as well officially documented in OPNsense docs.

https://docs.opnsense.org/manual/qfeeds.html

Regards,
S.

Thanks for sharing!

Quote from: Seimus on October 22, 2025, 06:06:09 PMMaybe as well additional info for those who don't read patch notes ;)

Q-Feeds is as well officially documented in OPNsense docs.

https://docs.opnsense.org/manual/qfeeds.html

Regards,
S.

I am guessing there is a critical error on the firewall rules setup instructions?

Quote from: chrisgtl on October 22, 2025, 08:24:11 PM

Quote from: Seimus on October 22, 2025, 06:06:09 PMMaybe as well additional info for those who don't read patch notes ;)

Q-Feeds is as well officially documented in OPNsense docs.

https://docs.opnsense.org/manual/qfeeds.html

I am guessing there is a critical error on the firewall rules setup instructions?

Oh no! you're right.. the WAN rule should state the WAN interface instead of LAN. We'll get this sorted. For now the correct manual can be found at the bottom of our landing page: https://qfeeds.com/opnsense/ (https://qfeeds.com/opnsense/)

Unfortunately I still get the warning:

QuoteQFeeds requires additional memory to be reserved for aliases. Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least 2 million items.

I am using a blank setting (default) which amounts to 10,000,000 on my system. When I set it manually the warning disappears. As soon as I remove it so that the default is used, the warning shows up again.

@Q-Feeds Can you please point me to the part of the source code that does this check? IMO this check only looks for a value in that field. But if a value is not set, the test does not check what the default and thus the effective value actually is.

> I am using a blank setting (default) which amounts to 10,000,000 on my system.

This is the new maximum default since 25.7.5. It's calculating now based on available RAM.


Cheers,
Franco

Quote from: tessus on October 22, 2025, 09:23:41 PMUnfortunately I still get the warning:

QuoteQFeeds requires additional memory to be reserved for aliases. Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least 2 million items.

I am using a blank setting (default) which amounts to 10,000,000 on my system. When I set it manually the warning disappears. As soon as I remove it so that the default is used, the warning shows up again.

@Q-Feeds Can you please point me to the part of the source code that does this check? IMO this check only looks for a value in that field. But if a value is not set, the test does not check what the default and thus the effective value actually is.

Aah that's some leftover code from the beta  version. We've removed it from the code now all together. To clean it you can run these commands:

rm /usr/local/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
configctl webgui restart



Quote from: franco on October 22, 2025, 09:30:13 PMThis is the new maximum default since 25.7.5. It's calculating now based on available RAM.

Yep. My point was rather that the test was quirky:

$cnf = Config::getInstance()->object();
        if (!empty($cnf->system->maximumtableentries) && $cnf->system->maximumtableentries >= 2000000) {
There are 2 things I want to give feedback on and please forgive my ignorance since I don't know the internals.

So this cnf object holds all the settings. Of course cnf->system->maximumtableentries is empty, since nothing is set. How do I get the effective value. e.g. the UI shows that my system uses 10000000 so that info must be available.

For a proper test the above code shouldn't test for !empty &&, but check_effective_value(maximumtableentries) > 2000000 ||

Quote from: Q-Feeds on October 22, 2025, 09:52:43 PMAah that's some leftover code from the beta  version. We've removed it from the code now all together. To clean it you can run these commands:

Thanks, that did it. I did not even have to restart the webgui.

I am not sure I follow though. Leftover? So the file was not in the code, but still in the package? Or did you remove it from the code, after 1.2 was released?

Quote from: tessus on October 22, 2025, 10:23:39 PM

Quote from: franco on October 22, 2025, 09:30:13 PMThis is the new maximum default since 25.7.5. It's calculating now based on available RAM.

Yep. My point was rather that the test was quirky:

Code Select Expand

$cnf = Config::getInstance()->object();
        if (!empty($cnf->system->maximumtableentries) && $cnf->system->maximumtableentries >= 2000000) {
There are 2 things I want to give feedback on and please forgive my ignorance since I don't know the internals.

So this cnf object holds all the settings. Of course cnf->system->maximumtableentries is empty, since nothing is set. How do I get the effective value. e.g. the UI shows that my system uses 10000000 so that info must be available.

For a proper test the above code shouldn't test for !empty &&, but check_effective_value(maximumtableentries) > 2000000 ||

Quote from: Q-Feeds on October 22, 2025, 09:52:43 PMAah that's some leftover code from the beta  version. We've removed it from the code now all together. To clean it you can run these commands:

Thanks, that did it. I did not even have to restart the webgui.

I am not sure I follow though. Leftover? So the file was not in the code, but still in the package? Or did you remove it from the code, after 1.2 was released?

That was indeed a possibility yet since during the development the standard changed so this became obsolete.

Glad that did it! And thanks for pointing it out!

No we removed it from the code with the 1.2 release. So only the users who had the previous packages installed, have this file on their machines, sorry for not cleaning it up correctly.

On the Opnsense dashboard, is the "Blocked" figure a rolling number over a period or will it increase infinitely?

If over a period, is that a setting somewhere?

Quote from: passeri on October 23, 2025, 04:20:59 AMOn the Opnsense dashboard, is the "Blocked" figure a rolling number over a period or will it increase infinitely?

If over a period, is that a setting somewhere?

It's not per 24h. The widget's "blocked" is the number of unique feed addresses that have seen at least one blocked packet in the packet filter since the tables were last loaded/replaced (e.g., after a feed update, reconfigure, or reboot). It resets whenever the Q-Feeds tables are reloaded.

Installed, registered and now have blocked information in the widget. Nice and slick :-)

One question though. I've ticked the box to register domain feeds after confirming Unbound has blocklists enabled. Am I supposed to see a q-feeds specific blocklist appear in the "Type of DNSBL" drop-down?

If so, there's nothing there for q-feeds, just the default. I've tried disable/enable blocklist, Unbound restart, and uncheck/check of "register domain feeds".

Quote from: RutgerDiehard on October 23, 2025, 11:16:18 AMInstalled, registered and now have blocked information in the widget. Nice and slick :-)

One question though. I've ticked the box to register domain feeds after confirming Unbound has blocklists enabled. Am I supposed to see a q-feeds specific blocklist appear in the "Type of DNSBL" drop-down?

If so, there's nothing there for q-feeds, just the default. I've tried disable/enable blocklist, Unbound restart, and uncheck/check of "register domain feeds".

Hi RutgerDiehard,

No you're not supposed to see our list in that dropdown. If both are activated (in our plugin and blocklists in general in unbound) then the list is active. You can verify by checking the number of IOCs in the Unbound report. It might be something we will improve later on though ;)

Quote from: Q-Feeds on October 23, 2025, 11:36:57 AM

Quote from: RutgerDiehard on October 23, 2025, 11:16:18 AMInstalled, registered and now have blocked information in the widget. Nice and slick :-)

One question though. I've ticked the box to register domain feeds after confirming Unbound has blocklists enabled. Am I supposed to see a q-feeds specific blocklist appear in the "Type of DNSBL" drop-down?

If so, there's nothing there for q-feeds, just the default. I've tried disable/enable blocklist, Unbound restart, and uncheck/check of "register domain feeds".

Hi RutgerDiehard,

No you're not supposed to see our list in that dropdown. If both are activated (in our plugin and blocklists in general in unbound) then the list is active. You can verify by checking the number of IOCs in the Unbound report. It might be something we will improve later on though ;)

Thanks for the quick reply :-)

I assume you mean by looking at the "Size of blocklist" in the Unbound DNS report?

If I untick "Register domain feeds" in q-feeds and recheck the "Size of blocklist" number, it does not change.

Is this correct or am I looking in the wrong place?

Just checked the other way by configuring only "Register domain feeds" and unticking all in "Type of DNSBL".

Now the "Size of blocklist" number does change. I assume that this number should tally with the number reported on TIP?

E.g. with no other blocklists ticked, the size of blocklist number is 358,597. However, the previous count from TIP is 438,574 and current is 539,551 using the numbers from my current plan (free edition).

There seems to be an anomally.

@Q-Feeds: I just noticed your service is blocking my company VPN - ZScaler.
Are you supposed to block those hubs? https://config.zscaler.com/zscaler.net/hubs (https://config.zscaler.com/zscaler.net/hubs)
I now have to disable Q-feeds to connect to the company network.

I'm seeing blocks from LAN to destination 165.225.101.236; 165.225.29.187; 165.225.25.182; etc

You can always create a whitelist alias in a rule above ours. That said we just checked and it seems ZScaler doesn't care to facilitate criminal organizations as well. We're seeing lots of bad actors in a lot of our sources.

Thank you for checking and info. I will enable Q-Feeds again, and connect my company by the guest network.

Quote from: RutgerDiehard on October 23, 2025, 11:57:06 AMJust checked the other way by configuring only "Register domain feeds" and unticking all in "Type of DNSBL".

Now the "Size of blocklist" number does change. I assume that this number should tally with the number reported on TIP?

E.g. with no other blocklists ticked, the size of blocklist number is 358,597. However, the previous count from TIP is 438,574 and current is 539,551 using the numbers from my current plan (free edition).

There seems to be an anomally.

Thanks for pointing out! We will investigate it.

Hello,

I haven't tried this product out yet but I am considering to in the near future. However for licensing I was wondering what is meant by "Beneficial users (FTE)", is this in reference to users as in people, or users as in connected devices as in IP addresses? I would assume the later, but figured I would ask for clarity.

Thanks

Quote from: xpendable on October 24, 2025, 09:21:14 PMHello,

I haven't tried this product out yet but I am considering to in the near future. However for licensing I was wondering what is meant by "Beneficial users (FTE)", is this in reference to users as in people, or users as in connected devices as in IP addresses? I would assume the later, but figured I would ask for clarity.

Thanks

Great question! It actually refers to people (Full-Time Employees), not devices or IPs. For home users, I have to admit "FTE" isn't really the right term, although running a family can definitely feel like a full-time job ;-)

And great to hear to you're planning to try it! You won't regret it :)

I would be very happy to test it.
Only an IT Consultant with some gained Security Experience ;)

Quote from: 0zzy on October 25, 2025, 08:05:40 PMI would be very happy to test it.
Only an IT Consultant with some gained Security Experience ;)

The plugin is now officially included in OPNsense versions 25.7.6 and 25.10, thanks to the great efforts and support of the community!
Instructions can be found here: https://docs.opnsense.org/manual/qfeeds.html (https://docs.opnsense.org/manual/qfeeds.html)

Ok I installed it, made the registration, add the api thing and nothing happens, I didn't see anything under Events.
Under Feeds I see two entries:
Malicious IP addresses
Malicious domain names
domains
2025-10-26T00:00:00Z
2025-10-26T00:00:007
2025-10-27T00:55:277
2025-10-27700:55:277

everything with a checkmark.

So my question is, what exactly should I expect?

Normally I use crowdsec (which is definitively extremely a money made machine....)

Quote from: 0zzy on October 26, 2025, 05:53:20 PMSo my question is, what exactly should I expect?

Depending on how you implement your block rules. I run it IN WAN & IN LANs, using a policy (group) that has the seq 0 and is inherited into every FW interface.

The outcome is that if a session tries to establish from or to the q_feed alias, its blocked.

Regards.
S.

@Seimus which block rules do you mean exactly? I have different rules (floating and because of micro segmentation of my vlans some special rules depending on my needs).
So for it only Interesting for LAN / WLAN / WAN.

But wait I need to check the Docs first, as far as I know its already in the OPNSense Docs....

ah now I see what you mean .... I let you know if it changed something after I set the rule (I think its easier to create a floating rule in my case ) but thank you, after a day of coding my heady bangs too hard and I oversee things ;)

Quote from: 0zzy on October 26, 2025, 06:17:37 PMwhich block rules do you mean exactly

The ones you need to manually create to take advantage of Q-feed alias.

Regards,
S.

So I installed the plugin and set it up over the weekend and I am quite happy with it. Probably the best solution so far due to the native firewall integration by using pf and unbound for the filtering.

Not sure on what all of the suggested improvements has been so far, I know there has been many, like the automatic rule generation... which would be nice but I would also suggest making it optional. So that the more advanced users can simply create their own. I say this because for example I only use IPv4, so I did not create an IPv6 rule as it is not required. Relatively minor, but it's nice to not have things defined if they are not needed.

Not sure if this has been suggested or not, but the Q-Feeds Events page should also include unbound events as well to provide a holistic view of all traffic filtered by Q-Feeds and the fact that the unbound details page has a limited log size and gets overwritten very quickly. Also I know there was suggestions to include the IoC lookup there as well, which would be great. If that can not be done for some reason, maybe at least a whois lookup link?

Also it is difficult to verify unbound integration as the only thing you are really relying on is to either look at the unbound blocklist size before enabling Q-Feeds, or rely on something being filtered in the unbound logs since there is no blocklist to select within the unbound blocklist drop down menu. The current configuration basically implies that it is enabled without any real verification. Maybe provide a test URL to verify unbound integration?

I look forward to the continued improvements to the plugin and ip/dns lists.

Thanks

Installed on my cluster and created some blocking rules on internal and WAN interfaces. All is working, at least form outside.

Some questions:

1. Beside Q_Feeds Community, I use maltrail. Use same blocking rule for both aliases. Analyzing some IP addresses in both aliases, I found maltrail blocks some IP addresses Q_Feeds did not. I decided to maintain both, because this indicated me the Q_feeds Community protection is not complete (as expected from your documents and web site :-) ).  OK as policy or there can be some "internal conflict"?

2. It is possible to ad some "Export to csv" or "Download" button in Security/Q-Feeds Connect/Events? There are 50k log entries, almost impossible to analyze just on this screen. I know, it is possible to export the whole firewall log, but it is to big to be useful.

3. How to report false positives, if found any?

4. In the portal log i found the message: "Rate limit exceeded for company: xxxxxxx's Company on feed malware_ip".  I have two firewalls, master and slave in a cluster. The message is for the master IP address. Which is the limit?  How to avoid it?   

Quote from: wstemb on October 29, 2025, 11:39:12 AMInstalled on my cluster and created some blocking rules on internal and WAN interfaces. All is working, at least form outside.

Some questions:

1. Beside Q_Feeds Community, I use maltrail. Use same blocking rule for both aliases. Analyzing some IP addresses in both aliases, I found maltrail blocks some IP addresses Q_Feeds did not. I decided to maintain both, because this indicated me the Q_feeds Community protection is not complete (as expected from your documents and web site :-) ).  OK as policy or there can be some "internal conflict"?

2. It is possible to ad some "Export to csv" or "Download" button in Security/Q-Feeds Connect/Events? There are 50k log entries, almost impossible to analyze just on this screen. I know, it is possible to export the whole firewall log, but it is to big to be useful.

3. How to report false positives, if found any?

4. In the portal log i found the message: "Rate limit exceeded for company: xxxxxxx's Company on feed malware_ip".  I have two firewalls, master and slave in a cluster. The message is for the master IP address. Which is the limit?  How to avoid it?   

Thanks for raising your questions!

• There's no single set of feeds that covers everything. Q-Feeds makes decisions based on relevance, accuracy, and severity. The way we curate and manage the data helps us minimize false positives, but as noted, no feed is ever 100% complete. So keeping both Q-Feeds and Maltrail active is fine.
• We'll ask the Deciso team to review your suggestion regarding an "Export to CSV" or "Download" option. That's a valuable request.

    3.    You can report false positives directly via the Q-Feeds Threat Intelligence Portal: Q-Feeds TIP (https://tip.qfeeds.com/views/auth/login.php).
    4.    Best practice is to use one license per IP/firewall. In your case, you can simply create another API key via the TIP for the second firewall to avoid rate limit issues.

Hi, just purchased a Plus License for 1 yr because i have confidence in your product and want to support your great efforts.

Quote from: Kets_One on October 30, 2025, 07:58:43 PMHi, just purchased a Plus License for 1 yr because i have confidence in your product and want to support your great efforts.

Thank you so much for your support Kets_One! Very much appreciated! And we will keep our efforts up to make it even greater, thanks to your help we can!

Best regards,

Stefan

Hi Q-feeds,

I have two questions:

1. I currently have Crowdsec installed. Should I uninstall Crowdsec to avoid redundancy (for troubleshooting purposes), or do Q-Feeds and Crowdsec complement each other?

2. I'm currently using AdGuard Home and Unbound. What's the best way to integrate Q-Feeds' DNS functionality? Is there a DNSBL that I can configure in AdGuard with a corresponding API token, for example, in the format "https://api.qfeeds.com/feed/domain_blacklist.txt?key=<API_KEY>"?

Thank you in advance for your reply.

Quote from: RES217AIII on November 01, 2025, 02:08:19 PMHi Q-feeds,

I have two questions:

1. I currently have Crowdsec installed. Should I uninstall Crowdsec to avoid redundancy (for troubleshooting purposes), or do Q-Feeds and Crowdsec complement each other?

2. I'm currently using AdGuard Home and Unbound. What's the best way to integrate Q-Feeds' DNS functionality? Is there a DNSBL that I can configure in AdGuard with a corresponding API token, for example, in the format "https://api.qfeeds.com/feed/domain_blacklist.txt?key=<API_KEY>"?

Thank you in advance for your reply.

Hi RES217AIII,

Thank you for your questions!

1. In theory, all CTI (Cyber Threat Intelligence) Feeds are complementary to each other as there is no feed to rule them all. Feel free to use Q-Feeds and Crowdsec at the same time. And experience (test) the differences yourself.

2. You can use the native Unbound support within the plugin, or you can use it with AdGuard. Whatever you prefer. You can use the URL which are in this manual: https://qfeeds.com/en-sophos-v1-1/.

The manual for the plugin can be found here: https://qfeeds.com/en-opnsense-documentation/

Greetings, Stefan

Hell Yeah, it works.
But I didn't use Interface Rules instead of them I have a floating rule for have a clean ruleset on my interfaces.

I see many Events on WAN / LAN but what I miss is a description of the Event.

@Q-Feeds what do you mean, is there a way to get more Information out of that?

Which Options do I have to play with (if possible) the API of this plug?
For deeper insights, which logs can I check?
How can I see these events in a SIEM/XDR like Sentinel or WAZUH?

And one thing: I don't know why but login with UserName on Q-Feeds Site isn't possible anymore.
Also I didn't get any email when ordering a new password.... ;(

Hi Ozzy,

I heard Stefan solved the password issue separately.

For extra event details, you can use the Threat Lookup feature in the TIP (available with Plus or Premium licenses). That functionality isn't built into the plugin (yet), and since we don't collect any telemetry data, we can't display your hits in the TIP. This is a deliberate choice, we prefer not to gather any data from your firewalls.

The plugin doesn't have its own API endpoints yet, but you can check detailed logs under Firewall → Log Files → live view or Normal View to see what's being blocked or allowed.

If you want to connect OPNsense to a SIEM like Sentinel or Wazuh, you can use syslog or the Wazuh agent. For more advanced correlations in your SIEM, we also offer a TAXII server which supports the context with the IOCs. Yet this is a different offering from the OPNsense packages. If you'd like, we can schedule a quick Teams call (just send us a PM) so I can show you how it works and discuss the options in more detail.

Kind regards,

David

Quote from: Q-Feeds on November 02, 2025, 06:51:05 PMsince we don't collect any telemetry data, we can't display your hits in the TIP. This is a deliberate choice, we prefer not to gather any data from your firewalls.

Something appreciated by this user, for one.

Thanks for this product! I will test it!

How it works with adguard? Is there a manual?

Quote from: wirehire on November 06, 2025, 11:13:04 AMHow it works with adguard? Is there a manual?

Create a DNS blocklist in AdGuard Home with this URL:

https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=<your API token>


Thanks Patrick.


Another question, in the log from the qfeed , how can i see, which port the blocked actually tried to connect?

You need to check the firewall logs for your block rule. And set that to logging enabled, of course.

ok so no more info, likes crowdsec ? or only with the paid version?

Q-Feeds does not send any info back to them, that's why they cannot show you more info in the dashboard. Great from a privacy point of view, IMHO.

you right, nothing upload are very good, from this sign. But the plugin matched the list and the blocklist  take from the blocklist the ip. So when the pluing can see that dangerous ip take to connect and block ist, it can also see and write to the plugin log, which port.

for  zero days often, the check in wave specific ports. So when you see that many ips scan for a specific port in a wave, you can take it different.

Where the question to the qfeed maintainer. Can your plugin  without upload to your instances, see which port the attacker probt to be connect ?

Your block rule does that.

Step 1:

(https://forum.opnsense.org/index.php?action=dlattach;attach=49111;image)

Step 2:

(https://forum.opnsense.org/index.php?action=dlattach;attach=49113;image)

Patrick thanks, i know that, but why not in the plugin , where the ips block shows up? The read the pf log, so the details are there.

Quote from: wirehire on November 06, 2025, 01:35:21 PMPatrick thanks, i know that, but why not in the plugin , where the ips block shows up? The read the pf log, so the details are there.

Thank you for the suggestion, you're right and we think that's a nice addition. We've added it to the list but for know Patrick's suggestion is indeed the way to go.

I've given this whole thread a read and here's my 2c:

A sysadmin with 30+ years of xp here. I run infrastructure for a hosting company, for a dozen of clients of small to medium sizes.
As such, I and my customers are not interested, in any way, shape, and form, in the traditional "threat" detection. We are interested in the blocking of web contact form and email spam, and we achieve this mostly by blocking all things hosting. Everything that comes from hosting providers is considered a threat, plain and simple. Hosting providers are everyone's enemies. So I simply integrated with an API that tells me whether the visitor is from a hosting company, in which case they are given a boot, or from consumer internet providers, in which case we let our tried and tested set of rules to take an action. Nothing that is of my or my customer's concerns can get past my multiple layers of firewalls, and this has been proven many times by all kinds of pen test companies that my customers used to hire until they realized that it's money well wasted, so they cut down on this.

Having said it, what can Q-feeds offer us?

Quote from: Jyling on November 06, 2025, 04:23:26 PMI've given this whole thread a read and here's my 2c:

A sysadmin with 30+ years of xp here. I run infrastructure for a hosting company, for a dozen of clients of small to medium sizes.
As such, I and my customers are not interested, in any way, shape, and form, in the traditional "threat" detection. We are interested in the blocking of web contact form and email spam, and we achieve this mostly by blocking all things hosting. Everything that comes from hosting providers is considered a threat, plain and simple. Hosting providers are everyone's enemies. So I simply integrated with an API that tells me whether the visitor is from a hosting company, in which case they are given a boot, or from consumer internet providers, in which case we let our tried and tested set of rules to take an action. Nothing that is of my or my customer's concerns can get past my multiple layers of firewalls, and this has been proven many times by all kinds of pen test companies that my customers used to hire until they realized that it's money well wasted, so they cut down on this.

Having said it, what can Q-feeds offer us?

Hi Jyling,

That's an interesting approach, sounds like you've got a pretty tight setup already.

Q-Feeds isn't focused on generic logic. We maintain constantly validated threat intelligence feeds with confirmed malicious IPs, domains, and URLs — actual command-and-control servers, phishing kits, malware activity, and even APT groups. That includes compromised servers within consumer networks and infected sites hosted on otherwise legitimate infrastructure.

So instead of just blocking entire hosting ranges, Q-Feeds helps you block what's actively bad, while still allowing legitimate traffic that comes from hosting environments your customers might actually want to reach (e.g. legitimate mail relays, SaaS, or shared web services).

In short:
You'd get more precision than broad "hosting provider = block" filters.
Our data is updated and validated 24/7 to minimize false positives.
You can integrate it via API or directly into your firewall/DNS with minimal effort.
You could even use it alongside your existing hosting block logic, our feeds would just catch the real threats that slip through.

All that said, the proof is in the pudding, give it a spin and you'll see the difference.

!! NEW NEW NEW !!

Today we are proud to announce our first External Attack Surface Management (EASM) tools in our Threat Intelligence Portal!

We've added a powerful vulnerability scanner that checks for:

• Open ports
• Web and network vulnerabilities
• Potential misconfiguration flaws

On top of that, we included a range of handy tools for enrichment and quick analysis, such as:

• WHOIS Lookup
• DNS Records
• HTTP Headers
• GeoIP
• SSL Certificate details
• Reverse DNS
• Similar Domains detection

The goal is simple — help users understand what's exposed from their public-facing infrastructure and identify risks before attackers do.

Note: The new EASM features are currently available for Plus and Premium subscriptions only.
Note 2: The new vulnerability scanner is limited to 1 scan per day for Premium and 1 scan per week for Plus.


We'll continue expanding functionality and welcome any feedback.

Nice sweet!

I really wish this tool-set would be integrated into the OPNsense plugin/GUI.

------

Looks like the HTTP header toolkit the output from "Security Headers Analysis" show duplicated entries (basically shows the same results twice.)

Regards,
S.

Quote from: Seimus on November 06, 2025, 08:54:42 PMNice sweet!

I really wish this tool-set would be integrated into the OPNsense plugin/GUI.

------

Looks like the HTTP header toolkit the output from "Security Headers Analysis" show duplicated entries (basically shows the same results twice.)

Regards,
S.

Thank you! We might in the future but that won't be tomorrow I'm afraid ;-)

Fixed the bug right away, thanks for letting us know!

The scanner looks like a fantastic addition but my first test suggests that at least over IPv6 it does not quite work, yet.

I scanned both the external IPv4 and the external IPv6 address of my OPNsense. I run a Caddy reverse proxy for all public services. The IPv4 scan correctly identified open ports 80 and 443 while the IPv6 scan not only finished in a couple of seconds but also resulted in nothing whatsoever.

Thinking about it - I'll go check if maybe your scanner was blocked by either your own lists or one of the free ones I also use.

EDIT: no blocked packets. So something is wrong with the IPv6 scan it seems.

Quote from: Patrick M. Hausen on November 06, 2025, 11:05:00 PMThe scanner looks like a fantastic addition but my first test suggests that at least over IPv6 it does not quite work, yet.

I scanned both the external IPv4 and the external IPv6 address of my OPNsense. I run a Caddy reverse proxy for all public services. The IPv4 scan correctly identified open ports 80 and 443 while the IPv6 scan not only finished in a couple of seconds but also resulted in nothing whatsoever.

Thinking about it - I'll go check if maybe your scanner was blocked by either your own lists or one of the free ones I also use.

EDIT: no blocked packets. So something is wrong with the IPv6 scan it seems.

Thanks for your extensive testing once again ! Seems we got work to do! :)

EDIT: Fixed now for IPv6

I've tested this today in my home and seems to be working ok - here's some feedback

• The main website https://qfeeds.com/ has a typo in this section
  .. "We offers detection and response services against phishing  .." the word "offers" should be "offer"
• I added the Blocklist "https://api.qfeeds.com/api?feed_type=malware_domains&api" into Adguard Home and it was working fine, however it blocked the solar monitoring website https://pvoutput.org
  I made a false positive report advising that I was using the malware domains list in AdGuard Home, and Support closed it saying it's not on the list. I double checked I set it correctly, which I had, and submitted another false positive report. Support closed it again and wrote back saying it must be an issue on my end as pvoutput.org isn't on your IP list and not in your Domains lists and to try force reloading the list. I logged another false positive after I disabled all the other AGH blocklists and force reloaded the qfeeds malware list. I also pointed out that issue is with the blocklist in Adguard Home which is using MALWARE Domains and that if I create a whitelist in AGH for pvoutput.org, I can access it, and I was able to access it until I loaded the Qfeeds blocklist - I'm still awaiting a reply
• When logging the false positive reports, I noticed that if I entered a single quote ' in my report, for example won't,  after I saved the report it displayed the HTML number &#039; instead won&#039;t   
• It would be good if a false positive report could be added to/reopened rather than needing to keep adding a new report as I had to keep repeating all the information from the previous ones there were (incorrectly) closed
• I was considering a Plus subscription, however Patrick reported that the scanner isn't working properly, so we need to wait a week to try again as we can only test one IP per week - can this be relaxed until you fix the issue with the scanner?
• In the TIP dashboard, it would be great if clicking on the panels My API Keys, Available Feeds and My API Calls were hyperlinks to those sections

Edited to add

• How can I enable monit to monitor qfeeds ?

Many thanks

Quote from: vk2him on November 07, 2025, 10:09:02 AMI've tested this today in my home and seems to be working ok - here's some feedback

• The main website https://qfeeds.com/ has a typo in this section
  .. "We offers detection and response services against phishing  .." the word "offers" should be "offer"
• I added the Blocklist "https://api.qfeeds.com/api?feed_type=malware_domains&api" into Adguard Home and it was working fine, however it blocked the solar monitoring website https://pvoutput.org
  I made a false positive report advising that I was using the malware domains list in AdGuard Home, and Support closed it saying it's not on the list. I double checked I set it correctly, which I had, and submitted another false positive report. Support closed it again and wrote back saying it must be an issue on my end as pvoutput.org isn't on your IP list and not in your Domains lists and to try force reloading the list. I logged another false positive after I disabled all the other AGH blocklists and force reloaded the qfeeds malware list. I also pointed out that issue is with the blocklist in Adguard Home which is using MALWARE Domains and that if I create a whitelist in AGH for pvoutput.org, I can access it, and I was able to access it until I loaded the Qfeeds blocklist - I'm still awaiting a reply
• When logging the false positive reports, I noticed that if I entered a single quote ' in my report, for example won't,  after I saved the report it displayed the HTML number &#039; instead won&#039;t 
• It would be good if a false positive report could be added to/reopened rather than needing to keep adding a new report as I had to keep repeating all the information from the previous ones there were (incorrectly) closed
• I was considering a Plus subscription, however Patrick reported that the scanner isn't working properly, so we need to wait a week to try again as we can only test one IP per week - can this be relaxed until you fix the issue with the scanner?
• In the TIP dashboard, it would be great if clicking on the panels My API Keys, Available Feeds and My API Calls were hyperlinks to those sections

Edited to add

• How can I enable monit to monitor qfeeds ?

Many thanks

Dear vk2him,

Thank you for your great feedback and suggestions!

• Thanks, fixed it right away!
• I had a look at the reports but unfortunately couldn't reproduce this either. In our backend, which contains over 80 million IOCs, this domain doesn't exist, I also couldn't find it in the OSINT or Premium feeds. If you download the list directly in your browser, do you see the domain then? And or is there anyone else on this forum who experiences connection issues with pvoutput.org? Obviously I'm using all of our blocklists but I can connect without any issues.
• Thanks for pointing out the encoding issue, it's been fixed.
• Good idea, you can now reopen cases and also edit your initial submissions.
• The IPv6 issue is solved now. We'll reconsider the scan limits later, but for now, while we're monitoring infrastructure load, you can scan multiple IPs once per week. The allowed IPs are based on where you've connected from (via TIP login or API calls), to help prevent abuse.
• We've added direct links to the Logs and API Keys sections, great suggestion! For the Available Feeds section, we'll add a link once some new planned pages are ready.

Unfortunately, I can't assist directly with Monit configuration, but maybe someone else in the community can share some insights.

Kind regards,

David

Quote from: Q-Feeds on November 08, 2025, 12:51:21 AMDear vk2him,

Thank you for your great feedback and suggestions!

• Thanks, fixed it right away!
• I had a look at the reports but unfortunately couldn't reproduce this either. In our backend, which contains over 80 million IOCs, this domain doesn't exist, I also couldn't find it in the OSINT or Premium feeds. If you download the list directly in your browser, do you see the domain then? And or is there anyone else on this forum who experiences connection issues with pvoutput.org (https://pvoutput.org/)? Obviously I'm using all of our blocklists but I can connect without any issues.
• Thanks for pointing out the encoding issue, it's been fixed.
• Good idea, you can now reopen cases and also edit your initial submissions.
• The IPv6 issue is solved now. We'll reconsider the scan limits later, but for now, while we're monitoring infrastructure load, you can scan multiple IPs once per week. The allowed IPs are based on where you've connected from (via TIP login or API calls), to help prevent abuse.
• We've added direct links to the Logs and API Keys sections, great suggestion! For the Available Feeds section, we'll add a link once some new planned pages are ready.

[/list]

Unfortunately, I can't assist directly with Monit configuration, but maybe someone else in the community can share some insights.

Kind regards,

David

Thanks for the reply and fixing the items I pointed out.

Regarding pvoutput.org - today I am able to connect to it, and I wasn't able to find it on the list after I downloaded it, so that's strange.

Anyway, I'm seeing something strange at the moment - my Events tab isn't showing anything and it was yesterday.

I tried browing to a site that is in the IP filter table and the livelogs show Qfeeds blocked it, however The events tab is blank? I tried this yesterday and it appeared in live logs and the events tab?

I am curious to know what to make of this.

I saw in event logs that a string of outgoing connections were attempted from one machine. The first set was to 63.141.128.3 and the second to 162.247.243.29. I tried to look up each of these in TIP (Plus licence) to receive the reply "An error occurred while searching. Please try again or contact support if the problem persists." which it did.

dig showed NXDOMAIN of course. At virustotal.com each of these addresses was flagged by the SOCRadar Abusix list as malware but clean in the other 94 analyses shown by virustotal.

Is the likely source for these a pixel in a spam message or some web page? I have spam fairly heavily controlled so such a message rarely becomes visible to execute.

Why does the threat lookup so rarely respond with information, this not being the first time it has simply said there was an error?

Quote from: vk2him on November 08, 2025, 05:04:59 AM

Quote from: Q-Feeds on November 08, 2025, 12:51:21 AMDear vk2him,

Thank you for your great feedback and suggestions!

• Thanks, fixed it right away!
• I had a look at the reports but unfortunately couldn't reproduce this either. In our backend, which contains over 80 million IOCs, this domain doesn't exist, I also couldn't find it in the OSINT or Premium feeds. If you download the list directly in your browser, do you see the domain then? And or is there anyone else on this forum who experiences connection issues with pvoutput.org (https://pvoutput.org/)? Obviously I'm using all of our blocklists but I can connect without any issues.
• Thanks for pointing out the encoding issue, it's been fixed.
• Good idea, you can now reopen cases and also edit your initial submissions.
• The IPv6 issue is solved now. We'll reconsider the scan limits later, but for now, while we're monitoring infrastructure load, you can scan multiple IPs once per week. The allowed IPs are based on where you've connected from (via TIP login or API calls), to help prevent abuse.
• We've added direct links to the Logs and API Keys sections, great suggestion! For the Available Feeds section, we'll add a link once some new planned pages are ready.

[/list]

Unfortunately, I can't assist directly with Monit configuration, but maybe someone else in the community can share some insights.

Kind regards,

David

Thanks for the reply and fixing the items I pointed out.

Regarding pvoutput.org - today I am able to connect to it, and I wasn't able to find it on the list after I downloaded it, so that's strange.

Anyway, I'm seeing something strange at the moment - my Events tab isn't showing anything and it was yesterday.

I tried browing to a site that is in the IP filter table and the livelogs show Qfeeds blocked it, however The events tab is blank? I tried this yesterday and it appeared in live logs and the events tab?

That's very interesting, but we're glad that issue is solved now. Now regarding the events tab, that's an interesting find as well. Just to be sure, you haven't disabled logging on the rules? And you do see blocks in the dashboard widget?

Does this command dump logs ? "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs"

Quote from: passeri on November 08, 2025, 05:50:55 AMI am curious to know what to make of this.

I saw in event logs that a string of outgoing connections were attempted from one machine. The first set was to 63.141.128.3 and the second to 162.247.243.29. I tried to look up each of these in TIP (Plus licence) to receive the reply "An error occurred while searching. Please try again or contact support if the problem persists." which it did.

dig showed NXDOMAIN of course. At virustotal.com each of these addresses was flagged by the SOCRadar Abusix list as malware but clean in the other 94 analyses shown by virustotal.

Is the likely source for these a pixel in a spam message or some web page? I have spam fairly heavily controlled so such a message rarely becomes visible to execute.

Why does the threat lookup so rarely respond with information, this not being the first time it has simply said there was an error?

Well to start, threat lookup should always show information on hits you've experienced. There are very rare cases that it doesn't if a IOC has been deleted from our database and the feed wasn't updated yet, but after looking into it that wasn't the case here. We've made some improvements to the lookup functionality which should result in faster lookups and no more error messages.

Regarding the IPs you were trying to lookup; 162.247.243.29 is known for an IP from newrelic. This is indeed a kind of tracking pixel but there were also known events were they're scanning the internet for unknown reasons and even possibly exploiting https://nvd.nist.gov/vuln/detail/CVE-2020-11910. 63.141.128.3 is known for brute force tries, interesting to see that you experience outbound connections to it.

Quote from: Q-Feeds on November 08, 2025, 09:48:45 AMinteresting to see that you experience outbound connections to it

That "interesting" could be carrying a lot of freight. The attempted connections were for a short period then ceased. The machine which sourced them has Sophos Premium running on it and no open ports. The router which trapped them is internal, not at the edge, looking only at outgoing traffic, Community key for Q-feeds. The Plus key is on the edge so it saw nothing of this.

I tried the threat lookups again. They worked in Safari, not in Mullvad (Firefox), "network error". Everything is latest versions.

Quote from: Q-Feeds on November 08, 2025, 09:41:38 AMThat's very interesting, but we're glad that issue is solved now. Now regarding the events tab, that's an interesting find as well. Just to be sure, you haven't disabled logging on the rules? And you do see blocks in the dashboard widget?

Does this command dump logs ? "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs"

The rules have the logging enabled - I shared a screenshot in my previous reply of the live logs showing my test was blocked. Yes the dashboard widget shows a large blocked number.

The command gives an error:

root@OPNsense:~ # /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py", line 50, in <module>
    for msg in getattr(actions, action)():
  File "/usr/local/opnsense/scripts/qfeeds/lib/__init__.py", line 187, in logs
    yield ujson.dumps({'rows': PFLogCrawler(feeds).find()})
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 75, in find
    result.append(self._parse_log_line(line))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 64, in _parse_log_line
    return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
                      ~~~~~~~^^^
IndexError: list index out of range
Thanks

Quote from: vk2him on November 08, 2025, 11:45:35 AM

Quote from: Q-Feeds on November 08, 2025, 09:41:38 AMThat's very interesting, but we're glad that issue is solved now. Now regarding the events tab, that's an interesting find as well. Just to be sure, you haven't disabled logging on the rules? And you do see blocks in the dashboard widget?

Does this command dump logs ? "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs"

The rules have the logging enabled - I shared a screenshot in my previous reply of the live logs showing my test was blocked. Yes the dashboard widget shows a large blocked number.

The command gives an error:

Code Select Expand

root@OPNsense:~ # /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py", line 50, in <module>
    for msg in getattr(actions, action)():
  File "/usr/local/opnsense/scripts/qfeeds/lib/__init__.py", line 187, in logs
    yield ujson.dumps({'rows': PFLogCrawler(feeds).find()})
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 75, in find
    result.append(self._parse_log_line(line))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 64, in _parse_log_line
    return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
                      ~~~~~~~^^^
IndexError: list index out of range
Thanks

Sorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues


If you want I can do that for you but I'm not able to reproduce it. It should solve eventually if your logs get rotated.

Quote from: passeri on November 08, 2025, 10:37:01 AM

Quote from: Q-Feeds on November 08, 2025, 09:48:45 AMinteresting to see that you experience outbound connections to it

That "interesting" could be carrying a lot of freight. The attempted connections were for a short period then ceased. The machine which sourced them has Sophos Premium running on it and no open ports. The router which trapped them is internal, not at the edge, looking only at outgoing traffic, Community key for Q-feeds. The Plus key is on the edge so it saw nothing of this.

I tried the threat lookups again. They worked in Safari, not in Mullvad (Firefox), "network error". Everything is latest versions.

Plus has everything community + more. So I have no clue why your edge router didn't catch that activity !? Or am I misunderstanding something?

Misunderstanding something. The internal router stopped it. The edge router can never see what is not passed to it in the first place.

I have no further such contacts. I have organised to track their app source if one turns up again.

Quote from: Q-Feeds on November 08, 2025, 02:21:03 PMSorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues (https://github.com/opnsense/plugins/issues)

No crashes, disk full or power loss - all running fine. I restarted the host that OPNSense is running on and it's now working. Strange that it was working during the day, then overnight the log somehow was corrupted. I'll keep an eye on it.

How frequently is the widget "Blocked" number updated ?

To wrap up the curiosity item (https://forum.opnsense.org/index.php?msg=252089) I raised, one of those addresses is bam.nr-data.net which is a gathering point for browser activity tracking, while the other is bigcommerce.com related to shopfront checkouts and again probably about activity data collection given purchases were not affected. Calls originated from Apple Safari, not Mullvad, although it is not excluded that that is coincidence.

While they are more about privacy than security, nothing has broken with them being blocked.

Quote from: vk2him on November 09, 2025, 11:11:40 AM

Quote from: Q-Feeds on November 08, 2025, 02:21:03 PMSorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues (https://github.com/opnsense/plugins/issues)

No crashes, disk full or power loss - all running fine. I restarted the host that OPNSense is running on and it's now working. Strange that it was working during the day, then overnight the log somehow was corrupted. I'll keep an eye on it.

How frequently is the widget "Blocked" number updated ?

Probably fixed because the log rotated with the reboot. Indeed curious how and why this happend but glad it's fixed now. The cron job for the widget runs every 15 minutes.

Quote from: passeri on November 09, 2025, 02:55:28 AMMisunderstanding something. The internal router stopped it. The edge router can never see what is not passed to it in the first place.

I have no further such contacts. I have organised to track their app source if one turns up again.

Aah sure that makes sense, its outbound traffic off course.

Quote from: passeri on November 09, 2025, 11:48:11 AMTo wrap up the curiosity item (https://forum.opnsense.org/index.php?msg=252089) I raised, one of those addresses is bam.nr-data.net which is a gathering point for browser activity tracking, while the other is bigcommerce.com related to shopfront checkouts and again probably about activity data collection given purchases were not affected. Calls originated from Apple Safari, not Mullvad, although it is not excluded that that is coincidence.

While they are more about privacy than security, nothing has broken with them being blocked.

Makes sense as well. Platforms like bigcommerce, Shopify etc are often used to host malicious scripts or files. This IP from them is also used as an open HTTP proxy that's probably the reason it's in the list. Well since it didn't break anything we'll keep it in the list for now.

Hi... I am interested in testing out Q-Feeds, if that windows of opportunity is still open.

Me too - I already registered for a free account on TIP.

I've been testing this out and had a question about the malware IP list.

Why doesn't it use CIDR notation? The list contains over 500,000 individual IP addresses, and I can see entire /24 ranges represented as separate entries — even including the broadcast addresses. That seems inefficient for the firewall, especially since the premise of Q-Feeds is supposed to involve preprocessing and aggregation.

This approach also makes it practically impossible to scale into IPv6, where the smallest subnet is a /64. It feels like a dead-end implementation.

Quote from: IsaacFL on November 10, 2025, 06:17:17 PMI've been testing this out and had a question about the malware IP list.

Why doesn't it use CIDR notation? The list contains over 500,000 individual IP addresses, and I can see entire /24 ranges represented as separate entries — even including the broadcast addresses. That seems inefficient for the firewall, especially since the premise of Q-Feeds is supposed to involve preprocessing and aggregation.

This approach also makes it practically impossible to scale into IPv6, where the smallest subnet is a /64. It feels like a dead-end implementation.

You're absolutely right, there's definitely room for improvement when it comes to optimizing CIDR usage. The main challenge is that in many cases, only specific IPs within a larger block are confirmed malicious. Aggregating them into CIDRs would mean potentially blocking legitimate traffic, especially in shared or cloud environments where a /24 can contain hundreds of unrelated tenants.

IPs in threat feeds are also quite dynamic servers get cleaned up, new ones appear, and attackers constantly shift infrastructure. Keeping indicators at single-IP granularity allows us to stay accurate and flexible when rotating data. We already perform preprocessing and deduplication before publishing feeds, so even though the list looks large, it's already optimized for relevance and quality.

For IPv6 it's a different story. Blocking based on IPv6 addresses is significantly harder because malicious actors rotate them extremely fast, often making static blocking useless. That's why future IPv6 detection strategies will likely focus more on ASN or behavioral patterns instead of individual addresses.

That said, there's no performance impact for firewalls we haven't seen any cases where the number of IOCs caused issues. OPNsense even raised the default table size to 20M entries, so handling large datasets like this isn't a problem.

Quote from: tmcarter on November 10, 2025, 04:16:19 PMHi... I am interested in testing out Q-Feeds, if that windows of opportunity is still open.

Quote from: meyergru on November 10, 2025, 05:40:40 PMMe too - I already registered for a free account on TIP.

We're well past the beta phase now, but you're more than welcome to start using it! On our OPNsense landing page you can find all the information you need, including the implementation manual: https://qfeeds.com/opnsense/

Since we have our own sub forum now we are closing this topic. Feel free to open a new topic for feature request, questions, comments etc etc. We will be around to do our best to answer everything!