Messages

Stefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Hi Passeri,

Licensing is per firewall indeed, we check it based on IP. This is not applicable for the community version, that's an all you can eat recipe with no restrictions besides the refresh rate. That said for every firewall you need a new API token in order to be able to pull the data.

Kind regards,

David

Hello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Even better, in some cases we see a drop in the firewall load since we're blocking all the crap :) I'm glad you're as enthusiastic as we are, looking forward to your feedback! I've send you a PM with the instructions ;)

Hi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

............

Hi Seimus,

Thank you for your interest and the great questions! Good news upfront; you're not too late to the party, I'll send you the instructions in a minute.

Here are the answers:

• This is exactly what we're doing, we're just using the native packet filter (pf) to block based on the aliases
• No we don't collect any personal data regarding connections, blocks etc. The only thing we 'collect' or better say monitor are the API-request for pulling the latest Threat Intelligence. All the data we collect is also visible in our TIP. To provide an overview we collect: Date and time of when the API call has been made to pull in the TI, IP addresses (licenses are bound per firewall), and the client header to see which platform is being used (in this case OPNsense off coarse).
• We don't just scrape data from the internet. Our threat intelligence is built from over 2,500+ different sources, combining commercial, public, and proprietary intelligence. This includes commercial and paid feeds such as URL, botnet, malware, IP, and intrusion databases, alongside public OSINT from social media, dark web, and phishing data. In addition, we enrich our intelligence as well with proprietary sources from our own honeypots, network activity, logs, and scans.
  
  What really sets Q-Feeds apart is how we connect the dots between these different pieces of intelligence, creating a more comprehensive and contextual threat picture. To ensure high data quality, we only use verified and trustworthy sources. We validate all data against RFC internet technical standards, false positives and so on. We remove duplicates, and apply relevance filtering to keep the most accurate and actionable intelligence.
  
  This layered approach ensures our feeds are reliable, validated, and meaningful, not just random data from the web.
• It's a combination of the leading cybersecurity vendors in the world. We're not able to provide you the details because of agreements we've made with them.
• I could tell you a great story that we're the absolute best compared with them, but better is to advice you to take it to the test ;-) We believe in the world of cybersecurity every solution is complementary to each other.

Kind regards,

David

Hi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi llama6668,

Thank you very much for your feedback! We've added it to our improvement list!

Looks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Hi Patrick,

Thanks for checking, it seems the Apple Pay checkout didn't process correctly indeed. We've temporarily disabled Apple Pay while we look into this issue.

Regarding your question: the OPNsense Basic License was the former name of the Community Version. Together with OPNsense/Deciso, we decided to make this version freely available for the community, so the Basic Package is no longer available for purchase.

Thanks again for your feedback and for pointing this out and we would like to invite to try our check-out flow again :).

Installation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Hi Patrick,

Thank you very much for your feedback!
Your suggestion regarding the aliases is a great idea and we'll discuss this internally.

As for the payment, I've sent you a PM to look into it further.

Thank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Luckily you were able to sort it out but we'll update it in the guide anyway :), thanks for pointing it out!
Regarding the 'auto add rules button': On the roadmap :)

While V6 is not necessarily cleaner, cybercriminals are able to rotate IP addresses quicker. That said they're quite short-lived in our lists. And can agree with more, the more blocked the better !

"Dang is it hostile out there." --- dmurphy
Unfortunately it is...

Hi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you! Send you a PM with the instructions.

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.

.............

Amazing Lurick! Thank you so much for this valuable feedback, really appreciate the time and detail you've put into it! We absolutely love it. It was quite a list, but we managed to address most of it right away! Here's our response:

For the plugin:

• There's a link to our website (which links to the TIP) under the help section. Since this is a bit hidden, we totally understand your feedback. We'll improve this in the next iteration.
• User hits are visible via the widget on the OPNsense dashboard. We're not planning to collect any user data to show in the TIP. The number of IOCs is also visible on the OPNsense dashboard widget. I agree it would be great to have such stats on the plugins main page as well. We'll add this to the roadmap.
• You're absolutely right! At the moment, the OPNsense plugin only supports IP lists, but we'll be adding Domains and URLs soon. Stay tuned ;)
• Thanks a lot! This was indeed a bug in the console, it's fixed now!

For the Q-Feeds site:

• We're currently not planning to include all TIP functionality directly on the website, but we agree it should be more accessible. Thanks for the suggestion, we'll discuss it internaly.
• Loved that feedback we've added a link to our contact page in the warning right away!
• That pop-up was super annoying indeed! It's fixed and much easier to read now.
• We've fixed this in many places already, but please let us know if you spot any more examples :)
• The limited allowed IPs are tied to paid subscriptions, since part of the license model depends on the number of firewalls (IPs). This is already functional but only editable by resellers or administrators. The field remains visible to end-users so they can distinguish between multiple keys.
• This was a fun one, thanks for catching it! Just to explain: the portal is designed for distributors, MSPs, and resellers as well. That field is meant for assigning end-users to resellers or resellers to distributors when applicable. Regular end-users and community users shouldn't see it anymore.
• We've updated the description. It's actually a Progressive Web App (PWA), so it's Android-ready too!
• Great catch, fixed it!
• Nice find! This issue was similar to observation 6. Thanks again for reporting it!
• Cleaned up and organized, everything now lives under 'Settings'.

Thanks a lot for spotting that, you're absolutely right! That's a mistake on our side. The "Plus" tier should indeed include Commercial IP data. We've corrected it, and really appreciate you catching that! https://qfeeds.com/opnsense/


OSINT (Open Source Intelligence) data comes from open sources like communities, news etc. Commercial (or paid) data comes from vetted, paid intelligence providers. We notice these feeds usually detect threats faster and with better accuracy and quality. Think about APT groups etc.  Services refers to the services around the TI and extra functionality that come with our Threat Intelligence Platform (TIP), like enrichment, faster updates, and extended IoC lookups.

We'd be happy to have you as a tester! Your setup sounds perfect for evaluating. I'll follow up with the details so you can get started.

I'm interested in trying it . Does it use the logs in any form for how it works ?

Thank you very much that you're willing to test it, already looking forward to your feedback. It will use aliases so you can define the firewall rules and link the alias with the firewall rule to block it based on our intelligence. I'll send you the instructions via a PM.

Thanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

So far it's been easy to setup, having a checkbox in settings to auto add rules might be nice moving forward but not super difficult to add a couple floating rules either. I also did end up getting a few errors and I only see a single alias/feed in the rules to select but I show three lists in the GUI for the plugin:

downloaded index to /var/db/qfeeds-tables/index.json
skipped /var/db/qfeeds-tables/malware_ip.txt [2025-10-04T11:47:47Z]
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Hi Brian,

Thank you for your feedback. I think that's a great idea for our roadmap, we've added it right away. The domains and URLs are still to be implemented within the plugin but indeed they do already show up within the available feeds table. The DNS and URL feeds is the next big feature to be fully supported on our roadmap, we do expect this soon. We already do have possibilities to implement this using pi-hole or adguard f.e. if you're interested I can share the instructions for this workaround for now.

The errors you're seeing are actually expected. It means the plugin skipped the download of the new feed due to the rate limit related to the license. Community users are eligible for an update every 7 days, Plus users every 4 hours and Premium users every 20 minutes. If an update is triggered twice within those timeframes the plugin will show these 'errors'. Here's an overview of the available licenses: https://qfeeds.com/opnsense/

Best regards,

Stefan

Thanks Brian and Craig. I've send you the instructions via a PM. Looking forward to hear your feedback!

Can you add me to your testers list as well.

Thanks

Done, looking forward to hearing your findings!

I would also be interested, when you need more testers.
Best regards,
  Marcus

The more input, the better!
We're especially interested to hear from all of you about:

• The user flow
• The widget (how it behaves and feels in practice)
• The results you're seeing
• And of course, the Q-Feeds TIP
  

Your feedback is incredibly valuable and will help us improve the overall experience.