Firewalk

Firewalk is an active reconnaissance tool that discovers firewall filter rules and access control lists (ACLs) by analyzing IP Time-To-Live (TTL) expiry responses. It determines which ports and protocols are permitted through a firewall by probing gateway and target hosts, making it invaluable for understanding network security policies during penetration tests.

How Firewalk Works

Firewalk uses TTL-based probing techniques:

TTL Baseline Determination: Measures TTL values from the source to the firewall/gateway
TTL Expiration Timing: Sends packets with TTL values designed to expire at the firewall
Response Analysis: Analyzes ICMP TTL Exceeded responses to determine if ports are filtered
ACL Discovery: Maps which protocols and ports are allowed through the firewall

The tool works by crafting packets with specific TTL values that expire at the firewall gateway, then analyzing the responses to infer firewall rules without actually crossing into the protected network.

Installation

Install on Linux using apt:

sudo apt-get install firewalk

Install on macOS using Homebrew:

brew install firewalk

Build from source:

wget https://packetstormsecurity.com/files/19381/firewalk-5.0.tar.gz
tar xzf firewalk-5.0.tar.gz
cd firewalk-5.0
./configure
make
sudo make install

Verify installation:

firewalk --version
firewalk -h

Basic Scanning

Simple gateway and target scan:

sudo firewalk -S 192.168.1.1 192.168.1.254

Where:

192.168.1.1 = gateway (firewall)
192.168.1.254 = target host beyond firewall

Verbose mode for detailed output:

sudo firewalk -v -S 192.168.1.1 192.168.1.254

Very verbose with debug information:

sudo firewalk -vv -S 192.168.1.1 192.168.1.254

Quiet mode (minimal output):

sudo firewalk -q -S 192.168.1.1 192.168.1.254

Gateway and Target Specification

Specify gateway explicitly:

sudo firewalk -S -g 192.168.1.1 192.168.1.254

Specify target explicitly:

sudo firewalk -S -t 192.168.1.254 192.168.1.1

Scan using DNS names:

sudo firewalk -S firewall.company.com internal-server.company.com

Use IP ranges (requires careful TTL calibration):

sudo firewalk -S 192.168.1.1 192.168.1.0/28

Multiple target hosts (sequential):

for target in 192.168.1.10 192.168.1.20 192.168.1.30; do
  sudo firewalk -S 192.168.1.1 "$target"
done

Protocol Selection

TCP protocol scan (default):

sudo firewalk -S -n TCP 192.168.1.1 192.168.1.254

UDP protocol scan:

sudo firewalk -S -n UDP 192.168.1.1 192.168.1.254

ICMP protocol scan:

sudo firewalk -S -n ICMP 192.168.1.1 192.168.1.254

Scan both TCP and UDP:

sudo firewalk -S -n TCP 192.168.1.1 192.168.1.254
sudo firewalk -S -n UDP 192.168.1.1 192.168.1.254

Port Range Specification

Scan single port:

sudo firewalk -S -p 80 192.168.1.1 192.168.1.254

Scan port range:

sudo firewalk -S -r 80-443 192.168.1.1 192.168.1.254

Scan specific ports:

sudo firewalk -S -p 22,80,443,3306,5432 192.168.1.1 192.168.1.254

Common web service ports:

sudo firewalk -S -r 80-89 192.168.1.1 192.168.1.254

All standard ports (1-1024):

sudo firewalk -S -r 1-1024 192.168.1.1 192.168.1.254

Extended port range:

sudo firewalk -S -r 1-65535 192.168.1.1 192.168.1.254

High ports (>32768):

sudo firewalk -S -r 32768-65535 192.168.1.1 192.168.1.254

TTL Configuration

Specify TTL for probing:

sudo firewalk -S -d 64 192.168.1.1 192.168.1.254

Manual TTL baseline (skip auto-detection):

sudo firewalk -S -m 64 192.168.1.1 192.168.1.254

TTL increment step:

sudo firewalk -S -i 1 192.168.1.1 192.168.1.254

Timing and Performance

Increase timeout for slow networks:

sudo firewalk -S -t 5 192.168.1.1 192.168.1.254

Adjust send/receive timing:

sudo firewalk -S -s 100 192.168.1.1 192.168.1.254

Faster scanning with reduced wait time:

sudo firewalk -S -t 2 192.168.1.1 192.168.1.254

Slower scanning for unreliable networks:

sudo firewalk -S -t 10 192.168.1.1 192.168.1.254

Response Interpretation

Understanding firewalk output:

Response	Meaning	Interpretation
TTL exceeded	Port/protocol allowed	Packet reached firewall
No response	Port/protocol blocked	Firewall filtered traffic
Host unreachable	No route to target	Network unreachable
Destination unreachable	Port closed/denied	Explicit denial
Time exceeded in transit	Gateway found	TTL baseline established

Expected output format:

# Allowed port (TTL expired at firewall)
Probe Type: TCP, Port: 80
Response: TTL exceeded in transit
Meaning: PORT OPEN (allowed through firewall)

# Blocked port (no response)
Probe Type: TCP, Port: 22
Response: No response
Meaning: PORT CLOSED (filtered by firewall)

Gateway Discovery

Auto-detect gateway (first-hop):

sudo firewalk -S 192.168.1.254

Manually specify gateway:

sudo firewalk -S -g 192.168.1.1 192.168.1.254

Find firewall between two points:

# Assumes gateway is first-hop to target
sudo firewalk -S 192.168.1.254

Trace route to identify firewall position:

traceroute 192.168.1.254
# Then use firewall IP as gateway
sudo firewalk -S -g <firewall_ip> 192.168.1.254

Common Scanning Scenarios

Scenario 1: Basic Web Service Probe

# Discover HTTP/HTTPS filtering
sudo firewalk -S -r 80-443 192.168.1.1 192.168.1.254

Scenario 2: Comprehensive TCP Port Mapping

# Map all common TCP ports
sudo firewalk -S -n TCP -r 1-1024 192.168.1.1 192.168.1.254

Scenario 3: Database Access Testing

# Check access to common database ports
sudo firewalk -S -p 3306,5432,1433,27017 192.168.1.1 192.168.1.254

Scenario 4: Protocol-Specific Analysis

# Test TCP
sudo firewalk -S -n TCP -r 1-1024 192.168.1.1 192.168.1.254

# Test UDP
sudo firewalk -S -n UDP -r 1-1024 192.168.1.1 192.168.1.254

# Test ICMP
sudo firewalk -S -n ICMP 192.168.1.1 192.168.1.254

Scenario 5: Targeted Service Probing

# SSH, DNS, SNMP, SMTP, POP3, IMAP, HTTPS, RDP
sudo firewalk -S -p 22,53,161,25,110,143,443,3389 192.168.1.1 192.168.1.254

Output Analysis

Standard output:

sudo firewalk -v -S 192.168.1.1 192.168.1.254

Typical output shows:

Gateway identification
TTL baseline
Port/protocol status for each probe
Filtering rules inferred

Save output to file:

sudo firewalk -v -S 192.168.1.1 192.168.1.254 > firewalk_scan.txt

Parse results for open ports:

sudo firewalk -S 192.168.1.1 192.168.1.254 | grep -i "open\|allowed"

Advanced Scenarios

Scan through multiple firewalls (multi-hop):

# First firewall
sudo firewalk -S -g 192.168.1.1 192.168.1.254

# Second firewall (if target is internal)
sudo firewalk -S -g 10.0.0.1 10.0.0.100

Custom packet crafting options:

# Specific source port
sudo firewalk -S -p 53 --source-port 53 192.168.1.1 192.168.1.254

Fragment detection:

# Test IP fragmentation policies
sudo firewalk -S --fragment 192.168.1.1 192.168.1.254

Stealth scanning (slower):

# Increase delays to avoid detection
sudo firewalk -S -t 10 -s 500 192.168.1.1 192.168.1.254

Integration with Other Tools

Combine with traceroute:

traceroute 192.168.1.254
sudo firewalk -S 192.168.1.1 192.168.1.254

Feed nmap results to firewalk:

# Map ports found by nmap through firewall
nmap -p- 192.168.1.254 > nmap_results.txt
# Then test those specific ports with firewalk
sudo firewalk -S -p 80,443,3306 192.168.1.1 192.168.1.254

Combine with network mapping tools:

# First: identify network
nmap -sn 192.168.1.0/24

# Then: test firewall rules for each host
for host in 192.168.1.{10..20}; do
  sudo firewalk -S 192.168.1.1 "$host"
done

Export results for documentation:

sudo firewalk -v -S 192.168.1.1 192.168.1.254 | tee firewall_analysis.log

Troubleshooting

No response from gateway:

# Verify gateway is reachable
ping 192.168.1.1

# Try with manual TTL
sudo firewalk -S -m 64 192.168.1.1 192.168.1.254

TTL baseline detection fails:

# Manually specify TTL
# Common values: 64 (Linux), 128 (Windows), 255 (routers)
sudo firewalk -S -d 64 192.168.1.1 192.168.1.254

No responses on any port:

# Check if ICMP is filtered
sudo firewalk -S -n ICMP 192.168.1.1 192.168.1.254

# Try different protocols
sudo firewalk -S -n UDP 192.168.1.1 192.168.1.254

Inconsistent results:

# Run multiple times
for i in {1..3}; do
  sudo firewalk -S 192.168.1.1 192.168.1.254
done

Permission denied:

# Firewalk requires root
sudo firewalk -S 192.168.1.1 192.168.1.254

# Or use with sudo -l to check permissions
sudo -l | grep firewalk

Understanding Firewall Rules from Results

Example Analysis:

# Scan result:
# Port 80/TCP: TTL exceeded (allowed)
# Port 443/TCP: TTL exceeded (allowed)
# Port 22/SSH: No response (blocked)
# Port 3306/MySQL: No response (blocked)

# Interpretation:
# - Firewall allows inbound HTTP/HTTPS
# - SSH access is denied (blocked)
# - Database access is denied (blocked)

ACL Mapping:

# From results, infer ACL rules:
# ALLOW TCP port 80 from any to target
# ALLOW TCP port 443 from any to target
# DENY TCP port 22 from any to target
# DENY TCP port 3306 from any to target

Best Practices

Obtain proper authorization:

# Document authorization
echo "Authorized: IT Manager - John Smith - May 2, 2026" > authorization.txt
sudo firewalk -S 192.168.1.1 192.168.1.254

Perform baseline scan first:

# Start with common ports
sudo firewalk -S -p 22,80,443 192.168.1.1 192.168.1.254

Document all findings:

sudo firewalk -vv -S 192.168.1.1 192.168.1.254 2>&1 | tee discovery_report.txt

Cross-verify results:

# Verify with nmap on accessible ports
nmap -p 80,443 192.168.1.254

Review network policies:

# Correlate findings with documented firewall rules
# Alert if unexpected ports are open

Ethical Considerations

Firewalk actively probes networks:

Ensure proper authorization before scanning
Document all testing activities
Coordinate with network operations team
Be aware of IDS/IPS systems that may alert on probing
Only test networks you own or have written permission to test

Legal compliance:

Unauthorized network scanning may be illegal
Obtain written authorization before testing
Follow responsible disclosure policies
Document all testing methodologies