Before looking into different methods of determining what type of firewall victim is running. Lets take a look at different firewall configurations and type of firewalls.

Types of Firewalls
Packet-Filtering Firewall
This is the simplest form of firewall that works at Network OSI layer. This type of firewall examines packet and makes decisions based on source and destination IP, ports number and protocol.
Circuit-Level Gateway
This type of firewall is able to detect weather requested session is valid by checking the TCP handshaking between the packets. They do not filter individual packets
Application-Level Firewall
This type of firewall analyses the application information and then makes decision on weather allow packet or no.
Stateful-Multilayer Inspection Firewall
This is the most advance type of firewall that combines all other types of firewalls.

Types of Firewall deployments
Bastion Host
This is point through which traffic enters and exits the network. Bastion Host has two interfaces one connects to public and one to private network.
Screened Subnet
This type of firewall has tree built in interfaces. The tree interfaces connected to internal network, DMZ and Public.
Multihomed Firewall
Has two or more network and each one is connected logically and physically.
Demilitarized Zone
DMZ is a buffer zone between public and private networks. In most cases used to host publicly available services.

Traceroute
Traceroute is is a network debugging utility designed to map out all hosts en route to a particular destination. Traceroute works by sending UDP or ICMP packets to target host and increasing the TTL field in the IP header for each successful round.
Lets looks at few examples using UDP and ICMP.
UDP

 sudo traceroute tekyhost.com
traceroute to tekyhost.com (38.99.188.102), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  51.088 ms  51.458 ms  51.733 ms
 2  * * *
 3  8079-dgw02.mtnk.rmgt.net.rogers.com (69.63.255.157)  158.458 ms  158.673 ms  158.761 ms
 4  209.148.232.53 (209.148.232.53)  159.023 ms  159.042 ms  159.123 ms
 5  209.148.230.26 (209.148.230.26)  162.076 ms  162.420 ms  162.418 ms
 6  be812.ccr41.iad02.atlas.cogentco.com (154.54.11.217)  173.746 ms  34.610 ms  40.615 ms
 7  be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53)  40.121 ms be3084.ccr42.dca01.atlas.cogentco.com (154.54.30.65)  40.754 ms be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53)  39.208 ms
 8  be2892.ccr22.cle04.atlas.cogentco.com (154.54.82.253)  40.966 ms  41.045 ms be2891.ccr21.cle04.atlas.cogentco.com (154.54.82.249)  40.299 ms
 9  be2993.ccr21.yyz02.atlas.cogentco.com (154.54.31.226)  50.846 ms  50.942 ms  50.982 ms
10  be2428.rcr11.yyz01.atlas.cogentco.com (154.54.1.94)  50.445 ms be2429.rcr12.yyz01.atlas.cogentco.com (154.54.1.158)  50.162 ms be2428.rcr11.yyz01.atlas.cogentco.com (154.54.1.94)  32.415 ms
11  154.24.37.38 (154.24.37.38)  33.024 ms te0-0-1-5.rcr21.b011152-1.yyz01.atlas.cogentco.com (154.24.4.50)  42.785 ms te0-7-0-3.rcr21.b011152-1.yyz01.atlas.cogentco.com (154.24.26.194)  42.309 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

ICMP

 sudo traceroute -I tekyhost.com
traceroute to tekyhost.com (38.99.188.102), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  1.683 ms  2.100 ms  4.376 ms
 2  99.250.108.1 (99.250.108.1)  26.147 ms  26.162 ms  26.309 ms
 3  8079-dgw02.mtnk.rmgt.net.rogers.com (69.63.255.157)  23.462 ms  24.106 ms  24.125 ms
 4  209.148.232.53 (209.148.232.53)  31.936 ms  32.476 ms  32.588 ms
 5  209.148.230.26 (209.148.230.26)  39.018 ms  39.235 ms  39.832 ms
 6  be812.ccr41.iad02.atlas.cogentco.com (154.54.11.217)  43.449 ms  40.737 ms  40.791 ms
 7  be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53)  37.401 ms  39.355 ms  39.481 ms
 8  be2891.ccr21.cle04.atlas.cogentco.com (154.54.82.249)  39.722 ms  90.458 ms  99.686 ms
 9  be2993.ccr21.yyz02.atlas.cogentco.com (154.54.31.226)  36.097 ms  37.977 ms  38.241 ms
10  be2428.rcr11.yyz01.atlas.cogentco.com (154.54.1.94)  37.159 ms  50.069 ms  59.608 ms
11  154.24.37.34 (154.24.37.34)  59.925 ms  56.310 ms  57.101 ms
12  tk.com (38.99.188.102)  59.978 ms  96.007 ms  60.009 ms

Nmap

 sudo nmap --script=firewalk --traceroute tekyhost.com

Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-23 11:46 EST
Nmap scan report for tekyhost.com (38.99.188.102)
Host is up (0.072s latency).
rDNS record for 38.99.188.102: tk.com
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
5666/tcp open   nrpe

Host script results:
|_firewalk: None found

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   10.10 ms 192.168.0.1
2   ...
3   22.23 ms 8079-dgw02.mtnk.rmgt.net.rogers.com (69.63.255.157)
4   22.96 ms 209.148.232.53
5   36.10 ms 209.148.230.26
6   39.20 ms be812.ccr41.iad02.atlas.cogentco.com (154.54.11.217)
7   39.58 ms be3084.ccr42.dca01.atlas.cogentco.com (154.54.30.65)
8   38.29 ms be2891.ccr21.cle04.atlas.cogentco.com (154.54.82.249)
9   39.12 ms be2994.ccr22.yyz02.atlas.cogentco.com (154.54.31.234)
10  35.18 ms be2428.rcr11.yyz01.atlas.cogentco.com (154.54.1.94)
11  35.27 ms te0-0-0-7.rcr21.b011152-1.yyz01.atlas.cogentco.com (154.24.26.190)
12  35.92 ms tk.com (38.99.188.102)

Nmap done: 1 IP address (1 host up) scanned in 20.84 seconds

While traceroute and nmap are useful application, they are not very extensible for any kind of serious reconnaissance scanning. Lets take a look at tool called Firewalk.
Firewalking
Firewalking is a technique that can be used to gather information about a remote network protected by a firewall. Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device. The firewalk scan works by sending out TCP or UDP packets with an IP
TTL one greater then the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop
where they will expire and elicit a TTL exceeded in transit message. If the gateway host does not allow the traffic, it
will likely drop the packets on the floor and we will see no response. By sending probes in a successive manner and
recording which ones answer and which ones don’t, the access list on the gateway can be determined.