I would think that a network that even has a physical path capable of bypassing a firewall would be considered broken by design... Or at least insecure.
As long as you want to hear back from the server you send a packet to, you’ll always be able to “reverse tunnel” into a firewall. This is because source ports are ephemerally allocated, which is a necessity unless you want to have a maximum of one HTTP connection at a time.
That said, a proper firewall implementation would only allow traffic back to a source port that is in the routing table as having an established connection. But that’s a stateful firewall (vs. stateless) and comes with its own set of complexities.
Not like this though. Someone connected two different routing domains and set up routing, or they use the same config for ospf for different routing domains which you shouldn't do.
That said, a proper firewall implementation would only allow traffic back to a source port that is in the routing table as having an established connection. But that’s a stateful firewall (vs. stateless) and comes with its own set of complexities.