Messages

Did the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

That's severe! Can you share some logs? Which blocks have been registered?

It seemed to be blocking everything outbound from the LAN interface, from 192.168.0.0/16
Which logs should I collect to help narrow this down?

Did the feeds get messed up?
At about 8:45am EST QFeeds started blocking EVERYTHING on my network out of nowhere.
I had to disable the firewall rules to regain connectivity.

I did have to use:
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py
instead of
/usr/local/opnsense/scripts/qfeedsctl.py
to run the three commands

Aah yes that was my mistake. The commands show the expected behavior.. you've tried a reboot already I guess ?

Or this "service configd restart"

service configd restart didn't fix it but a firewall reboot did :)

Dang, I was hopeful but that still shows the same behavior even on stock theme
For logs I see this in the Web GUI log tab:
 (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.82/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-1: Connection refused

.........

Hmm interesting. Perhaps a reinstall of the plugin does the trick, like Seimus suggested ?
Otherwise could you provide us with the output of the following commands:

/usr/local/opnsense/scripts/qfeedsctl.py fetch_index -v
/usr/local/opnsense/scripts/qfeedsctl.py fetch -v
/usr/local/opnsense/scripts/qfeedsctl.py firewall_load -v

Sure, reinstall didn't fix it sadly

root@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py fetch_index -v
send: b'GET /licenses.php HTTP/1.1\r\nHost: api.qfeeds.com\r\nUser-Agent: Q-Feeds_OPNsense\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nAuthorization: Basic {redacted}\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Sat, 11 Oct 2025 13:04:45 GMT
header: Server: Apache/2
header: X-Content-Type-Options: nosniff
header: Strict-Transport-Security: max-age=63072000; includeSubDomains
header: Upgrade: h2,h2c
header: Connection: Upgrade, Keep-Alive
header: Vary: Accept-Encoding,User-Agent
header: Content-Encoding: gzip
header: X-XSS-Protection: 1
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Referrer-Policy: no-referrer-when-downgrade
header: Feature-Policy: geolocation 'self'; vibrate 'none'
header: X-Download-Options: noopen
header: X-Permitted-Cross-Domain-Policies: master-only
header: X-DNS-Prefetch-Control: on
header: Strict-Transport-Security: max-age=31536000
header: Permissions-Policy: geolocation=*, midi=(), sync-xhr=(self "https://qfeeds.com" "https://www.qfeeds.com"), microphone=(), camera=(), magnetometer=(), gyroscope=(), payment=(), fullscreen=(self "https://qfeeds.com" "https://www.qfeeds.com")
header: Content-Length: 733
header: Keep-Alive: timeout=2, max=100
header: Content-Type: application/json
downloaded index to /var/db/qfeeds-tables/index.json
root@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py fetch -v
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-11T13:00:00Z]
skipped /var/db/qfeeds-tables/malware_domains.txt [2025-10-11T13:00:00Z]
skipped /var/db/qfeeds-tables/phishing_urls.txt [2025-10-11T13:00:00Z]
root@firewall:/usr/local/opnsense/scripts/qfeeds # ./qfeedsctl.py firewall_load -v
load feed malware_ip [no changes.]
root@firewall:/usr/local/opnsense/scripts/qfeeds #

I did have to use:
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py
instead of
/usr/local/opnsense/scripts/qfeedsctl.py
to run the three commands

One last question, on the Firmware > Plugins page I see
os-q-feeds-connector (misconfigured)

Is that anything to worry about?

Dang, I was hopeful but that still shows the same behavior even on stock theme
For logs I see this in the Web GUI log tab:
 (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.82/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-1: Connection refused

For backend I see:
[34c6aa36-3191-4630-92d7-cb4980e92036] Script action stderr returned "b'/bin/sh: /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py: not found'"

and

[8f76feea-fd1b-40e5-9b0a-9c4a4e852bfd] Script action failed with Command '/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py stats ' returned non-zero exit status 127. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py stats ' returned non-zero exit status 127.

I wonder, I did just install the new package over top without removing the old package, could that have caused issues?
What's the best way to uninstall so I can reinstall?

Command:
pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-0.1_1.pkg

Nope, just the Cicada theme from OPNSense
I did however try to use the stock opnsense theme too but the same results even after clearing cache and cookies on the browsers.
I also triple checked and no addons or anything are enabled either on the browsers.

Looks like the plugin didn't load for you properly, did you try to clear cache in the browser?

Regards,
S.

Yup, even opened opnsense in another browser since I use Firefox to be 1000% sure (Edge and Chrome in my case) and it always loads the same

[!! Update !!]

!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

.....

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

Wel it could take up to 30 seconds to load the actual events. The missing tab is interesting, can't seem to reproduce that. Anyone else experiencing that?

Hmmm, interesting, here is a screenshot of what I see:

[!! Update !!]

!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

We also added an event page to the plugin to see the actual activity. This will only work if you've applied logging on the rules where the Alias is bound to.

We've improved the widget with some more data.

And the plugin now moved from 'Services' to 'Security'

The new update scheme is already active. If you want to test the new Plugin functionality you can run the following command:

Code Select Expand

pkg add -f <same URL but with "-0.1_1.pkg" as extension>If you can't get it to work please send us a PM.

Please do not share the URL yet on the forum since we want to keep the testing group under control for now :)

Known issue: the widget on the TIP dashboard only shows the Premium count currently for all users. We will change this in the upcoming (work)days. We might spend some weekend hours on it :)

Once more we want to thank you all for you feedback! And obviously we keep on working on the rest of the list.

Kind regards,

Stefan

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

You do not need additional floating rules.

In the current one, set an Alias as Source (invert it in the rule) in which you add all hosts that should be excluded.

This means, all hosts that are not the ones in the alias will be inspected.

Same can be done with a inverted destination alias.

Awesome! That works perfectly :)

I realized I forgot to reply to the earlier quote but thank you for addressing those concerns I had so quickly!
One thing I just realized might be good to have on the roadmap is whitelisting. Either inbound or outbound integrated into Q-Feeds. Say I want a host to to not be restricted by q-feeds but still protected in other ways if that makes sense, it would be good to be able to easily whitelist source/destinations (public or private IPs) without the need for additional floating rules.

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.
4. The Feeds list on the plugin shows three lists but the TIP console shows 4 feeds for the free tier and 8 for the top paid tier. It might be good to make this more clear in some way. Maybe even just a tooltip that says if the three shown lists in the plugin encompass all available feeds for the API token.

For the QFeeds site:
1. On the main qfeeds webpage have a more direct link to the TIP console and other products as well, there doesn't appear to be a direct way from qfeeds.com to access the TIP console or other pages
2. Attack surface page on TIP console, might be good to have account manager email or contact methods auto populated for easier communication between end user and the qfeeds teams.
3. Opnsense banner on the TIP dashboard seems to cover some messages that pop-up and the X in dark mode was near invisible with the current banner color. Additionally, every time I navigate to a new page it shows back up after being dismissed.
4. Dark mode version definitely needs improvement. Right now text is very hard to read in a lot of cases.
5. API Keys shows "Allowed IPs" as "any" but no way to change this. I assume limiting where API calls can come from is coming at some point but just wanted to ask mostly if that's the case.
6. Company Information lists other companies for "Parent Company", not sure if this is a good idea to have companies listed here but just wanted to call this out.
7. Is there an android app coming at some point? I see the app page under Settings but it just mentions iPhone so I wasn't sure.
8. Company Information seems a bit difficult to get to since it's buried in "Manage API Keys" from the main Dashboard and that's a different page from User's API Keys page. I definitely feel as though a Company Information/Settings area at the top next to OR within "Settings" menu would be much better.
9. Company Information seems to require a "Role" but that's empty for me and as such I cannot save any changes on that page.
10. I have a link under Manage Company that it supposed to take me to "https://tip.qfeeds.com/views/admin/companies.php" but when I click "Back to Companies" it takes me to the dashboard. I feel as though this definitely should be cleaned up and the "https://tip.qfeeds.com/views/dashboard/index.php?error=Access%20denied" should be displayed as a message as well or something to handle this better for users within a company.