nmap --script ssl-heartbleed --script-args vulns.showall -sV <subnet_goes_here>
If nmap does not show any filtered port, no firewall is present (Either in front or on the scanned host).
However, firewalls can be configured such that they reply REJECT (Acting as a normal TCP/IP response when closed port).