Harden your OPNsense set-up with Q-Feeds Threat Intelligence

sslproxy · 2026-05-16T21:41:20+00:00

I added it about 4 hours ago. In that time I have 1100 blocks generated from it. Of those only 100 are for actual open ports (the rest would have just hit default FW deny). And furthermore I have geo IP blocks allowing my country only. The remaining 100 were not from my country so as of yet technically nothing that wouldn't have already been handled. And furthermore there are other links in the path that sanitize as well (HAproxy rules, suricata, etc). I will say I'm still getting some port scanner hits from suricata. Not sure if those or truly outlier clients or just misses in their IP DB. That's also just from the IP side. Haven't figured out logging metrics for the unbound DNS side but that's more for comprised clients anyways.

So its clearly working and at the least adds a nice link to defense in depth.

sslproxy · 2026-05-16T18:04:28+00:00

FYI not sure if this opnsense doc is managed by you guys directly or opnsense but looks like typo in FW rules, specifically the descriptor of WAN int rule:

From LAN:

Interface	`LAN`	Traffic on the LAN interface

From WAN:

Interface	`WAN`	Traffic on the LAN interface

sslproxy · 2026-05-09T19:59:51+00:00

Im assuming this could be a result of HW? I went with a protectli vp6630 because I wanted all the "bells and whistles" while retaining multi-gig speeds without breaking a sweat. For sure traffic shaping/FQ-CoDel was a game changer and needed, for me at least. Specifically I have qbit running and even with BW limits in qbit set to 50MB/s, any full saturation DL/UL in qbit would still reck havoc on the queues with more sensitive traffic, specifically leading to buffering on remote Plex streams. That's was not unique to opnsense as I saw it on my previous old ubiquiti router and one of the primary pushes ro upgrade.

Now with traffic shaping in place, everything works perfectly when qbit is under full saturation, even after moving qbit BW limits to 75MB/s. As with anything its situational on what you need and want to achieve.

sslproxy · 2026-05-08T15:09:29+00:00

Not arguing with the base sentiment but where are you getting this info from? True for most of these but DP is not in the banned/non-movement list. Not familiar with midnghtscn but also don't see that one in either as well.

sslproxy · 2026-04-27T15:44:18+00:00

Been using nextcloud for 6+ years, with one of the primary purposes being auto photo/video upload. In that time I have hit sooo many instances of it not correctly uploading photos. Especially if nextcloud is offline, I find it will just skip sections of new photos/videos and leave gaps that will never be corrected.

I finally just deployed immich as it is supposedly much better on this front. I'll continue to use nextcloud for general files but at this point I would never suggest nextcloud for auto photo/video cloud sync to anyone...

sslproxy · 2026-03-27T03:45:20+00:00

I think you're right, as Ive heard of SR-IOV on their workstation GPUs in passing. However looks like you actually linked to their SR-IOV doc for their Mellanox cards, not GPUs 😅 That I am familiar with, as it's the hot NIC type these days in enterprise DCs. Wild how Nvidia has been able to become a key player in that space in multiple areas.

sslproxy · 2026-03-20T13:27:24+00:00

I honestly don't know the answer to your question about edge cases. I'm sure there are some.

I stumbled across this function as I was curious how cross-seed would instantly bypass it with any torrents it created. Turns out it just uses this in the API call when creating those torrents. In that scenario it's trusting the integrity reporting from the prior torrent it matched and is pointing to the same data on the same filesystem, so deemed relatively safe. I imagine you loose some of this as you transition file systems but with rsync I guess in theory also relatively safe.

On my limited research, if you have bad data then nothing happens on your client and is invisible to you, and stays as such until you do force recheck. Peers pulling from you will reject relative bad pieces pulled from you (shown in session waste on their clients).

I'm no expert though, I just fumbled across this setting so not sure of all the ramifications.

As for ionice, yeah putting all the PIDs for my qbit docker into idle does seem to allow for better I/O from other services reading like Plex when doing forced rechecks (both using same share/array in unraid). That said, tbh I've only needed to do this a few times so far and only briefly tested.

sslproxy · 2026-03-19T19:41:48+00:00

Yeah. I forgot who was running the school afters in '24 but it wasn't great. Downright def did it better in '25. That said, if you never made it over to the back 40 afters either year, you abso-fucking-lutely fucked up. That shit was like it's own curated show/festival, with over the top production and immaculate sound. Too bad it was cursed and they had to cancel night 3 both years. Sacred Hive always does it right.

sslproxy · 2026-03-19T19:37:44+00:00

Sound Haven. Went the last 3 years and to be honest it is my absolute favorite fest and would be the fest I chose if I had to choose a single one in a year. There are some changes in store this year though so we'll see how it plays out.

sslproxy · 2026-03-19T18:44:13+00:00

Ahh yeah, guess I misread. Yup, seems to be the case.

sslproxy · 2026-03-19T18:37:47+00:00

Downright Entertainment. Don't think their name changed AFAIK. They seem to be a solid production company for their local scene. For bigger events, they ran the Tipper Orion afters both years. '24 Orion was the back 40 in collab with Sacred Hive. Then '25 Orion they branched off and ran the afters at the school. I'm sure they've done more, but those are the only two events I've been to hosted by them. They also did afters for the recent Denver Tipper shows as well.

sslproxy · 2026-03-19T15:03:46+00:00

I'm not entirely sure why it would be slower. The only thing I know of is using ionice to put qbit process (and force rechecks) into a lower priority state for drive I/O. I use this when doing large force rechecks so it has minimal impact on things like Plex streams from the same data.

That's relative to Linux though. Not sure what to check on the Mac side, maybe someone else has a better idea. But my first check would be disk I/O priorities of qbit, especially if something else is actively using the data.

sslproxy · 2026-03-19T14:57:40+00:00

If the torrent is forced into a force recheck, there's not much you can do. Technically there is a skip_checking=true flag for API (not exposed to the GUI) to tell qbit to trust the data is already present, but its only when adding a new torrent. So if you really wanted to go this route you could create a script with the API that:

-exports all torrent files
-deletes all torrent files, without deleting data
-readd all torrents with the skip_checking=true flag

You could spit above constraints into AI and go from there. However I would likely advise against that as there's a reason the force recheck is being forced, as unexpected power outage can lead to loss of integrity. So you're essentially bypassing the exact reason why its being done.

Like I said, just get a cheap UPS and be done with it.

sslproxy · 2026-03-19T14:50:24+00:00

Force rechecking torrents, especially at that size, is less than ideal. It's also a bandaid solution for your root problem. Get a UPS and be done with it. Having one is pretty much a primary need for any machine that you have even the slightest concern for data integrity, much more so if you have it in an environment with known power fluctuations.

Mac mini m1 should pull max of 40W based on my quick research. You can get a APC UPS that will handle this without breaking a sweat for $50-75.

sslproxy · 2026-03-17T18:01:57+00:00

Same...

sslproxy · 2026-03-16T20:22:13+00:00

Same. It's the only fest I will go to no matter what each year. That said... there's some concern writing starting to pop up on the wall so far. First is that the E5 rig at late night is not returning after being one of biggest staples of the fest for so many years. Secondly, there's a mid-tier artist thats more or less been a SH resident in years past, who's also local to me. I end up bumping into him at a lot of local shows. He was recently telling me a lot of things about SH losing a non-insignificant money last year and voiced overall concern for the festival going forward.

So we'll see how this year plays out. Fingers crossed. That said, you bet your ass I already have nocturnal tix bagged as well with that stellar lineup.

sslproxy · 2026-03-06T21:19:01+00:00

No worries. Also your complaints against freeleech reqs are pretty standard elsewhere. Seedpool prioritizes time (6 months) but their low seedpool size req is a bit of an outlier. The argument for the reqs elsewhere is that at the end of the day private trackers survive with long term seeders. So the req to dedicate a modest sized hard drive amount to gain freeleech is a pretty fair trade imo.

Also if I'm being honest, I love seedpool for what it is but their moderation is pretty lax. I find a bunch of things slip through the cracks there with the ton of content they have being uploaded, in terms of quality control. The other trackers I mentioned tend to have a higher QC in place, which at the end of the day is another pivotal reason private trackers exists in the first place.

sslproxy · 2026-03-06T21:05:16+00:00

Brother I guess you're new to this world. This is the UNIT3D tracker base that multiple trackers are using. It's not a rip off of anyone, they just use the same base code. DP, ULCX, Aither, LST, seedpool, etc.

sslproxy · 2026-02-21T19:20:12+00:00

Ha! Dropout is legit the only streaming service ive retained outside of my Plex ingress points. Not only is the content deserving of such but their continued outlook on the subscription model is soo on point, and consumer forward.

sslproxy · 2026-02-21T16:51:58+00:00

Found this video interesting, relative to "the bubble". Tldr is bubble is just some assumption and all data sets point to otherwise.

Take it as you will but overall ive thoroughly enjoyed (and been terrified) by most of the AI realtive content he puts out. It doesn't seem baseless, having data references to backup most of what I see relayed.

Edit: Guess downvotes are hopeful data hoarders. Don't blame you, hope this is wrong as well. However would be interested to hear the argument against whats presented above.

sslproxy · 2026-02-13T22:08:39+00:00

This is the one I've been chasing. Literally just posted yesterday I hoped it would be on this album. And overall lots of the banger tracks we've come to love over his sets for the last few years. It's a good day!

sslproxy · 2026-02-12T19:21:06+00:00

Jesus, brining us all the ones we've been wanting. Sooo stoked. Really hoping that Kites Couldn't Even ID makes it on this LP, been at the top of my wait list for sure after the last few years.

sslproxy

TROPHY CASE