I'm trying to find out where a port is being blocked by a firewall; either en-route to a host or by the host itself.
If I run nmap I can see that the port is filtered. However, this could mean by the host 192.168.1.74 or any firewall in between. Is there a way to find out exactly where?
joel@bohr ~ $ nmap -A 192.168.1.74 --traceroute
Starting Nmap 5.21 ( http://nmap.org ) at 2011-12-18 20:27 GMT
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for android-63731d6ebec9e01.lan (192.168.1.74)
Host is up (0.040s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
2222/tcp filtered unknown
A firewall can block packets by two ways: drop and reject. In case of a reject the IP stack of the firewall sends an the ICMP packet destination unreachable with code 9, 10 or 13:
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml#icmp-parameters-codes-3
This means that the communication is not permitted.
But some people think that it is a security concern to tell an attacker what is permitted and what is not. Those guys do not reject but drop packets.
In that case you have no chance to directly detect the firewall. You can only indirectly detect the firewall. If you do not get any response it is likely that there is a firewall, because a router would send you a ICMP unreachable packet, if the system does not exist. This is the assumption nmap does in your case.