Actually by looking a little more closely, I found that mostly they were sending to port 137 and port 445. Googling told me those ports are netbios ports from windows machines and that a recent worm used them.
Besides the firewall, I removed all services in inetd by editing "/etc/inetd.conf" and "kill -HUP id_of_the_inetd_process". By default, it was running a ftp, time, finger, and in.identd.
"nmap -vv localhost" now gives all ports closed.
I have 32k upload and my machine is online 24/7, so I didn't want to leave it unprotected.
Thanks to everyone who helped