Q-feeds (Community Version): Impressions after several days

[Richard090969]

Translate with ChatGPT

Hello,
I have been using the Community Edition of Q-Feeds for quite some time now, but my initial enthusiasm has gradually given way to a certain sense of disappointment.

At the beginning of my testing, Q-Feeds was reliably blocking almost everything. This gave me the impression that, in the long run, it might even be possible to replace CrowdSec entirely with Q-Feeds.

However, after more than seven days, the picture looks quite different. Q-Feeds is now contributing very little, while my static Spamhaus blocklists in combination with CrowdSec are doing most of the work. Q-Feeds is only filtering the small remainder that gets through.

At this point, whether Q-Feeds is active or not in the Community Edition makes no noticeable difference in practice. It is worth mentioning that Q-Feeds is placed at the very top of my rule order.

cu Richard

---Original Deutsch/German---
Hallo,

Ich nutze die Community-Version von Q-Feeds inzwischen über einen längeren Zeitraum. Meine anfängliche Begeisterung ist allerdings inzwischen einer gewissen Ernüchterung gewichen.

Zu Beginn meines Tests hat Q-Feeds nahezu alles zuverlässig blockiert. Dadurch entstand bei mir der Eindruck, dass es perspektivisch eventuell möglich wäre, CrowdSec vollständig durch Q-Feeds zu ersetzen.

Nach inzwischen mehr als sieben Tagen zeigt sich jedoch ein anderes Bild: Von Q-Feeds kommt kaum noch etwas, während meine statischen Spamhaus-Blocklisten in Kombination mit CrowdSec den Großteil der Arbeit übernehmen. Den verbleibenden Rest filtert dann Q-Feeds.

Ob Q-Feeds in der Community-Version bei mir aktiv ist oder nicht, macht in der Praxis aktuell keinen wirklich spürbaren Unterschied. Dabei ist wichtig zu erwähnen, dass Q-Feeds in meiner Regelreihenfolge an erster Stelle steht.
 
VG Richard

[lmoore]

I installed Q-Feeds Communinty two weeks ago.

I created a rule to log all blocked traffic that otherwise wont be logged - the Default Deny rule has had its logging disabled.

Attached is a screen shot of the rules and the count of evaluations/blocked connections by each. 24-hours prior, the numbers were similar with the exception that FireHOL CIArmy had blocked 1 connection.

Doing the sums based upon the details of the evaluations for Q-Feeds and Nothing Else Blocked are;

Q-Feeds: 0.0632%
Nothing Else: 1.7778%

From these numbers, we can deduce Bitwire-IT blocked 98.159% of all blocked incoming connections.

Last night, after updating OPNsense to 26.1.7_3, which incidentally also updated Q-Feed Connector to version 1.5_3, I took this screen shot then disabled three of the listed rules.

Just took a screen shot of these rules a short while ago and you can see Q-Feeds blocked quite a few today. There was just one (persistent) miscreant that has attempted to telnet to my IP address and did so from 02:13am this morning, ceasing at 04:16pm this afternoon (14 hours).

It remains to be seen what Q-Feeds will block for me over the coming months.

[Monviech (Cedrik)]

Im not sure "total amount of blocks" is a good metric without "quality of individual blocks".

I find most blocklists that are available too intrusive and overly strict. In my opinion Qfeeds does a good job here with quality instead of quantity.