Detecting Firewalls Before They Detect You
Mapping the control plane during post-exploitation — understanding what security boundaries exist, how traffic is filtered, and automating Linux firewall detection with a custom script.
Why Detect Firewalls?
A firewall on Linux acts as a traffic filtering system controlling which network activities are permitted. It enforces security policy by inspecting packet headers and deciding to accept, drop, or reject them. During post-exploitation, detecting firewalls is about mapping the control plane — understanding what security boundaries exist and how traffic flows.
Without this intelligence, you waste time attacking blocked ports and miss reachable services on alternate paths. Firewall policies leak information through packet behavior, and those behaviors reveal the filtering topology.
Linux Firewall Landscape
iptables
Low-level CLI to configure Netfilter using tables and chains.
# Allow SSH, drop everything else
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
Two rules implementing a default-deny policy: -A INPUT
appends to the inbound chain, -p tcp --dport 22 matches SSH, -j ACCEPT
allows it. The second rule silently drops everything else.
nftables
Successor to iptables — unified, faster, simpler rule engine.
nft add rule inet filter input tcp dport 22 accept
firewalld
Higher-level service managing nftables/iptables underneath.
firewall-cmd --add-service=ssh firewall-cmd --permanent --add-service=http
UFW
Simple frontend to iptables/nftables — beginner-friendly.
ufw allow 22 ufw enable
Automating Detection
I wrote a Bash script that detects which firewalls are installed and actively running on a Linux system — useful during post-exploitation to quickly map defensive controls.
#!/bin/bash # fw_detect.sh — Linux firewall detection # by 0xb0rn3 echo "[*] Firewall Detection" # Check iptables if command -v iptables &>/dev/null; then rules=$(iptables -L -n 2>/dev/null | wc -l) [ $rules -gt 8 ] && echo "[+] iptables: ACTIVE ($rules rules)" fi # Check nftables if command -v nft &>/dev/null; then tables=$(nft list tables 2>/dev/null | wc -l) [ $tables -gt 0 ] && echo "[+] nftables: ACTIVE ($tables tables)" fi # Check firewalld if systemctl is-active firewalld &>/dev/null; then echo "[+] firewalld: RUNNING" fi # Check UFW if command -v ufw &>/dev/null; then ufw status 2>/dev/null | grep -q "active" && echo "[+] UFW: ACTIVE" fi