How do I scan a firewall to find open outgoing ports?

I'm looking for a tool that I can use within a firewalled network to scan the firewall to find open outgoing ports.

I've done some research and found Firewalk but it hasn't been maintained in 10 years, and didn't seem to work for me when I tried it.

I did some googling and found some sites saying you can do this with nmap, but I couldn't get this working either.

Does anyone know of a better way than setting up a box outside the firewall listening on every port and trying to port scan it from the inside?

Solution 1:

Say you have three subnets and a server on one of them, but want to see what rules are open to the other two. I run a nmap scan against the other two from the server. I typically use this line:

nmap -v -oA `hostname`_full-nmap-`/bin/date +%y%m%d` -P0 -sS -F -n --host_timeout 240000 --max_rtt_timeout 300 --initial_rtt_timeout 2000 --max_parallelism 250 192.168.123.0/24 192.168.234.0/24

You could apply a similar concept routing to the Internet as well, as nmap will identify what ports are filtered.

Solution 2:

Here is what I did:

Set up one machine in the network under test, and one elsewhere on the Internet (on the other side of the firewall). You should be fine using windows or linux (I used CentOS). I had a public IP but I guess it would work with a 1:1 NAT.

On the internet machine, I ran a command which would open every port on my computer with nc. I did

for i in `seq 1 65000`; do nc -l $i &; sleep 1; done

The sleep is there to prevent it from spawning an excessive number of netcat processes at once. It went fine but took 65000 seconds (overnight).

On the tested network, I simply run

nmap -p- -PN <IP>

and wait for the results.

Solution 3:

Firebind.com provides this service.

It lets you test your outbound connectivity over an arbitrary range of UDP or TCP ports. Testing ranges larger than 100 ports requires a free account.