Hey, hey,
that's an interesting subject!
I wrote a tut about it few weeks ago
http://www.antionline.com/showthread...ht=Firewalking

That aims to highlight some technics to detect what rules are running on a firewall.

more info:
When a firewall is protecting a port (e.g. FTP port ) the firewall will drop any related frames. That's what we are expected from the firewall!

Now, in the case there is no firewall & If you start a scan using TCP with ACK flag your are expecting the target to answer you with a TCP packet with the RST flag (read the TCP rfc for more details!).
The trick is that when a firewall is in the middle, it will simply drop the packet and you'll never get the TCP RST packet back.
That's a simple way to detect what port is protected or not. (Nmap will do it for you, have a look in the manpage!)
Of course some constructors knows about it and implement counter measure:
- A simple one is to answer a TCP RST from the firewall, but you can still detect the firewall action thanx to the IP source (the one of the firewall)
- The ultimate mitigation is when the firewall is able to spoof the target IP for answering the RST packet. (I don't know any commercial product that do it!)

I hope it help,


Extract from the FYODOR man page:
-sA
ACK scan: This advanced method is usually used to map out firewall rulesets. In particular, it can help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.
This scan type sends an ACK packet (with random looking acknowledgement/sequence numbers) to the ports specified. If a RST comes back, the ports is classified as "unfiltered". If nothing comes back (or if an ICMP unreachable is returned), the port is classified as "filtered". Note that nmap usu- ally doesn't print "unfiltered" ports, so getting no ports shown in the output is usually a sign that all the probes got through (and returned RSTs). This scan will obviously never show ports in the "open" state.