Looking for testers Q-Feeds plugin

[Q-Feeds]

Sorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues

No crashes, disk full or power loss - all running fine. I restarted the host that OPNSense is running on and it's now working. Strange that it was working during the day, then overnight the log somehow was corrupted. I'll keep an eye on it.

How frequently is the widget "Blocked" number updated ?

Probably fixed because the log rotated with the reboot. Indeed curious how and why this happend but glad it's fixed now. The cron job for the widget runs every 15 minutes.

[Q-Feeds]

Misunderstanding something. The internal router stopped it. The edge router can never see what is not passed to it in the first place.

I have no further such contacts. I have organised to track their app source if one turns up again.

Aah sure that makes sense, its outbound traffic off course.

To wrap up the curiosity item I raised, one of those addresses is bam.nr-data.net which is a gathering point for browser activity tracking, while the other is bigcommerce.com related to shopfront checkouts and again probably about activity data collection given purchases were not affected. Calls originated from Apple Safari, not Mullvad, although it is not excluded that that is coincidence.

While they are more about privacy than security, nothing has broken with them being blocked.

Makes sense as well. Platforms like bigcommerce, Shopify etc are often used to host malicious scripts or files. This IP from them is also used as an open HTTP proxy that's probably the reason it's in the list. Well since it didn't break anything we'll keep it in the list for now.

[tmcarter]

Hi... I am interested in testing out Q-Feeds, if that windows of opportunity is still open.

[meyergru]

Me too - I already registered for a free account on TIP.

[IsaacFL]

I've been testing this out and had a question about the malware IP list.

Why doesn't it use CIDR notation? The list contains over 500,000 individual IP addresses, and I can see entire /24 ranges represented as separate entries — even including the broadcast addresses. That seems inefficient for the firewall, especially since the premise of Q-Feeds is supposed to involve preprocessing and aggregation.

This approach also makes it practically impossible to scale into IPv6, where the smallest subnet is a /64. It feels like a dead-end implementation.

[Q-Feeds]

I've been testing this out and had a question about the malware IP list.

Why doesn't it use CIDR notation? The list contains over 500,000 individual IP addresses, and I can see entire /24 ranges represented as separate entries — even including the broadcast addresses. That seems inefficient for the firewall, especially since the premise of Q-Feeds is supposed to involve preprocessing and aggregation.

This approach also makes it practically impossible to scale into IPv6, where the smallest subnet is a /64. It feels like a dead-end implementation.

You're absolutely right, there's definitely room for improvement when it comes to optimizing CIDR usage. The main challenge is that in many cases, only specific IPs within a larger block are confirmed malicious. Aggregating them into CIDRs would mean potentially blocking legitimate traffic, especially in shared or cloud environments where a /24 can contain hundreds of unrelated tenants.

IPs in threat feeds are also quite dynamic servers get cleaned up, new ones appear, and attackers constantly shift infrastructure. Keeping indicators at single-IP granularity allows us to stay accurate and flexible when rotating data. We already perform preprocessing and deduplication before publishing feeds, so even though the list looks large, it's already optimized for relevance and quality.

For IPv6 it's a different story. Blocking based on IPv6 addresses is significantly harder because malicious actors rotate them extremely fast, often making static blocking useless. That's why future IPv6 detection strategies will likely focus more on ASN or behavioral patterns instead of individual addresses.

That said, there's no performance impact for firewalls we haven't seen any cases where the number of IOCs caused issues. OPNsense even raised the default table size to 20M entries, so handling large datasets like this isn't a problem.

[Q-Feeds]

Hi... I am interested in testing out Q-Feeds, if that windows of opportunity is still open.

Me too - I already registered for a free account on TIP.

We're well past the beta phase now, but you're more than welcome to start using it! On our OPNsense landing page you can find all the information you need, including the implementation manual: https://qfeeds.com/opnsense/

[Q-Feeds]

Since we have our own sub forum now we are closing this topic. Feel free to open a new topic for feature request, questions, comments etc etc. We will be around to do our best to answer everything!