Okay, this keeps getting wierder. I powered down the computer that I was having problems with, but now when I do an Ethereal capture, I see a ton of scans for port 445 (microsoft-ds) originating from the external interface of my firewall. Everything that I've seen says that when you see this kind of traffic you should be looking for a Sasser/Blaster-type worm, but this is a Linux firewall. There's not traffic from internal IPs that shows that it's a host internally generating these scans, but it almost can't be coming from my firewall. Additionally, I set up a rule in the firewall on the outbound chain (yes, it's an old 2.2 kernel) to block everything with that source address to that destination port. Now when I do a netstat, I see nothing but normal connections being made. Is there a chance that these are somehow spoofed or is there something that I'm not thinking of?

I run Symantec Corporate, and all of my clients are updated and have been scanned since this activity started.