Knowing when a firewall is installed is pretty easy. Firewalls tend to just drop the packets they receive. A regular non-firewalled host will return RST packets in response to SYN packets send to closed ports. If any of the ports are open (like your ftp port) they would return a SYN-ACK. Both the SYN-ACK and the RST packets will have a TTL. You can tell the difference between *nix and windows just by looking at the TTL value.