Which scan type is MOST appropriate to bypass firewall rulesets and determine whether a firewall is stateful or not?

Sending a TCP packet with only the ACK flag set is about testing how a firewall handles unsolicited state information and whether it tracks connections. This approach doesn’t try to establish a new TCP session, so it’s a blunt probe of the firewall’s filtering rules rather than a normal connection attempt. In a stateful firewall, unsolicited ACKs are typically dropped because there’s no established connection to anchor the state, so many ports will respond with nothing. In contrast, a stateless firewall or a simple filtering setup may let those ACK packets pass or elicit a more predictable response (such as a reset) from the target, revealing what the firewall allows or blocks without relying on an actual connection being established. This makes the TCP ACK scan particularly useful for both bypassing certain rule patterns that depend on connection-state and for inferring whether a firewall is maintaining state information. Other scan types often rely on initiating or spoofing connections and can be more readily filtered or misinterpreted by modern firewalls, making them less reliable for discerning statefulness.