Turris Sentinel

I am interested in getting a Turris Shield, but wanted to understand a bit more about how the dynamic firewall worked first.

Does the firewall dynamic ruleset by default block any traffic to IP’s on the blocklist? Or does it only block connections initiated from external IPs to open firewall ports i.e. allowing connections to blocklist IPs if the session is initiated from inside the LAN.

Ideally I would like a configuration that blocked traffic from blocklist IPs to open ports (e.g. VPN) by default. But only warns (possibly via email alert if possible) on sessions initiated from within the LAN to blocklist addresses.

This is because both my wife and I are working from home and I need to ensure there is no chance of a false positive causing issues with work, but will still like to get notified if there is a suspicious session.

Firewall monitoring

Firewall data is one of the key data sources for Sentinel. Using firewall data we can determine which attackers tries to exploit potential vulnerabilities on a particular port. We collect attacker’s IP address and local port number.

So it is blocking inbound traffic on specific port. Outbound traffic should pass thru. Even if you have open ports and use them (vpn to connect to work), all should be fine. For sure any open port will be targeted. This firewall feature is automatic and on background, so there are no notification about attacks. If there will be such notification it will spam your mailbox actually. There is global overview : https://view.sentinel.turris.cz

Sentinel is monitoring inbound traffic and if there is suspicious traffic it is reported back. If there is some pattern, attack is identified, rule is created and distributed back to all clients. There are two types of rules, applied with reload and applied without reloading firewall service.