Restating what nebulus200 said:
The way TCP servers work is thus:
The server has a well-known port upon which is runs. So port 80, for example. When you connect to the server on port 80, it then establishes back a connection to you on another port. This back connection is on a port number above 1024. ASCII art:
Code:
Server       Client
  |<--- 80 ----|
  |            |
  |-- 1025+ -->|
  |            |
Now, cool firewalls keep track of connections, so they know that the connection from the server to the client on port 2841 was a response to the connection from the client to the server on port 80. This is known as stateful inspection.

Older firewalls were stupid. The typical way they were configured was to allow any traffic at all over any port with a number greater than 1024. Otherwise, you couldn't connect to servers outside the firewall. So if you try to connect from port 25 on your machine to a high port on the victim machine, the firewall just thinks that the victim machine is sending email.

Answering h3r3tic's question:
The problem with just sending a "GET / HTTP/1.0" to port 80 of every IP address is that the firewall/IDS knows that you're not supposed to be connecting to port 80 of most of those IPs. So your scan is going to ring a lot more bells than if you were doing syn attempts, which some firewalls/IDSs won't notice.