An Nmap scan on my server reports open states on ports 137:139. But I know
they are not open because I am dropping INPUT packets on those ports in the
firewall rules, and definitely can't connect to those ports from the outside
using an smbclient or nmbstat command. That said, samba is running on the
machine for use internally.

My question... what would give Nmap a "false positive"? I read that nmap
needs an destination-unreachable icmp packet, and the absence of one would
be interpreted as "open". I think I'm outputting that icmp type. Are there
any other possibilities? Or is any udp packet explicity dropped in iptables
going to show as "open" to nmap?