2026 ~10 min read Defense Networking

Detecting Firewalls Before They Detect You

Mapping the control plane during post-exploitation — understanding what security boundaries exist, how traffic is filtered, and automating Linux firewall detection with a custom script.

Firewalls Linux Bash Post-Exploit

Why Detect Firewalls?

A firewall on Linux acts as a traffic filtering system controlling which network activities are permitted. It enforces security policy by inspecting packet headers and deciding to accept, drop, or reject them. During post-exploitation, detecting firewalls is about mapping the control plane — understanding what security boundaries exist and how traffic flows.

Without this intelligence, you waste time attacking blocked ports and miss reachable services on alternate paths. Firewall policies leak information through packet behavior, and those behaviors reveal the filtering topology.

Linux Firewall Landscape

iptables

Low-level CLI to configure Netfilter using tables and chains.

iptables Bash 
# Allow SSH, drop everything else
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

Two rules implementing a default-deny policy: -A INPUT appends to the inbound chain, -p tcp --dport 22 matches SSH, -j ACCEPT allows it. The second rule silently drops everything else.

nftables

Successor to iptables — unified, faster, simpler rule engine.

nftables Bash 
nft add rule inet filter input tcp dport 22 accept

firewalld

Higher-level service managing nftables/iptables underneath.

firewalld Bash 
firewall-cmd --add-service=ssh
firewall-cmd --permanent --add-service=http

UFW

Simple frontend to iptables/nftables — beginner-friendly.

ufw Bash 
ufw allow 22
ufw enable

Automating Detection

I wrote a Bash script that detects which firewalls are installed and actively running on a Linux system — useful during post-exploitation to quickly map defensive controls.

fw_detect.sh Bash 
#!/bin/bash
# fw_detect.sh — Linux firewall detection
# by 0xb0rn3

echo "[*] Firewall Detection"

# Check iptables
if command -v iptables &>/dev/null; then
    rules=$(iptables -L -n 2>/dev/null | wc -l)
    [ $rules -gt 8 ] && echo "[+] iptables: ACTIVE ($rules rules)"
fi

# Check nftables
if command -v nft &>/dev/null; then
    tables=$(nft list tables 2>/dev/null | wc -l)
    [ $tables -gt 0 ] && echo "[+] nftables: ACTIVE ($tables tables)"
fi

# Check firewalld
if systemctl is-active firewalld &>/dev/null; then
    echo "[+] firewalld: RUNNING"
fi

# Check UFW
if command -v ufw &>/dev/null; then
    ufw status 2>/dev/null | grep -q "active" && echo "[+] UFW: ACTIVE"
fi