From sacha@severus.org Wed Apr  3 12:29:08 2002
Date: Tue, 2 Apr 2002 12:55:56 -0500
From: Sacha Faust <sacha@severus.org>
To: bugtraq@securityfocus.com
Subject: Firewall-1 Identification : port 257 (ie archive : 18701)

It's been known for a while that if you find a host with open TCP port
256,257 and 258, you can be pretty sure it's a Firewall-1 box ( please refer
to : http://online.securityfocus.com/archive/1/18701 ).

I did some additional poking at the system and found out that if you connect
to port 257 and you hit a few keys, the server will return fwa1 string.
Here is the sequences that works for me:
1. hit enter
2. hit a few keys (2-3 is enough)
3. hit enter

the server will return the fwa1 string.

Example (my input was enter+test+enter):
[sacha@hole sacha]$ nc 1.1.1.1 257
        30000005
test
fwa1

[sacha@hole sacha]$

If you hit other sequences, you data but no fwa1 string. I didn't seen this
feature mentioned. If this is already known, please ignore this post. This
was discovered on a client system so I don't have all the details of the
firewall config for now. All I know is it's a FW1 box. On what I have no
idea.

---------
Sacha Faust
sacha@severus.org