Well, as a general principle, you should NOT be able to tell that a firewall is running. That would allow retro-software to know it’s there and attack it in some fashion.
The security professional in me wants to know “Why do YOU want to know?” But security by obscurity is unreliable at best.
That said, if a firewall were running (Norton, Zone Alarm, McAfee, etc.), and were detectable, I would assume that any identifying “marks” (or signs) would be unique to the manufacturer.
In general, if an application is within a firewalled environment, there are going to be two general types of “responses” to improper traffic: 1) dead silence, and 2) a refusal of some kind. The refusal could take the form of an ICMP destination unreachable -> Port unreachable/administratively prohibited (for UDP traffic), or a TCP RST (for TCP traffic).
Take the case of the “dead silence”, which might be the case if the traffic were simply being dropped. If the target system(s) were reachable on other ports, but a connection timed out on the intended ports, you could readily presume that traffic was being blocked by a firewall. However this still leaves the question of WHERE the firewall might be – source machine, target machine, or network equipment somewhere.
If I were looking for such things, I’d probably do a file search for logs with a time stamp within a few seconds of my last attempt, but that’s no guarrantee.
This may not be the answer you were looking for, but it’s what I can come up with off the top of my head.