If an outsider tries to scan the network, you can block this by not allowing packet which don't belong to an ongoing connection. These can be identified with the ACK bit set in the TCP packet. However, a scan can be done with a packet that looks like something in the middle of a connection, that is, with the ACK bit on. The destination service will find that no ongoing session is open and will send a reset response. If the port is not active (no service is listening), there will be no response. But no response is also a bit of information.
The lesson learned here is this: wherever possible the firewall should be completely dual-homed and not allow any IP routing.
