Rather than close the ports why not mask them. I use ZoneAlarm to block anything incoming. My system appears to be off to anyone who is doing a port scan.