Turris Sentinel

I am interested in getting a Turris Shield, but wanted to understand a bit more about how the dynamic firewall worked first.

Does the firewall dynamic ruleset by default block any traffic to IP’s on the blocklist? Or does it only block connections initiated from external IPs to open firewall ports i.e. allowing connections to blocklist IPs if the session is initiated from inside the LAN.

Ideally I would like a configuration that blocked traffic from blocklist IPs to open ports (e.g. VPN) by default. But only warns (possibly via email alert if possible) on sessions initiated from within the LAN to blocklist addresses.

This is because both my wife and I are working from home and I need to ensure there is no chance of a false positive causing issues with work, but will still like to get notified if there is a suspicious session.

Firewall monitoring

Firewall data is one of the key data sources for Sentinel. Using firewall data we can determine which attackers tries to exploit potential vulnerabilities on a particular port. We collect attacker’s IP address and local port number.

So it is blocking inbound traffic on specific port. Outbound traffic should pass thru. Even if you have open ports and use them (vpn to connect to work), all should be fine. For sure any open port will be targeted. This firewall feature is automatic and on background, so there are no notification about attacks. If there will be such notification it will spam your mailbox actually. There is global overview : https://view.sentinel.turris.cz

Sentinel is monitoring inbound traffic and if there is suspicious traffic it is reported back. If there is some pattern, attack is identified, rule is created and distributed back to all clients. There are two types of rules, applied with reload and applied without reloading firewall service.

I am not sure how it is with Turris Shield, but Turris Omnia offers some other features ...

There is also miniPots(mini honeypots) or/and HaaS (honey pot as a service) or/and Ludus (experimental feature applying game-theory on possible attacks), also there is IDS (it is experimental feature) (utilizing Suricata) which is doing packet inspection and notify you about new device in network. There is also Pakon (parental control) (also utilizing Suricata) which monitors the lan outbound traffic.