I have a small network 3 windows machines and my Linux box. The windows machines are all running Nortons Firewall. With Linux I set it up with high security tables. All behind a hardware router

It started a couple of days ago when I noticed my zip drive light up. I did a netstat and noticed the Dude was conneted to my box. Now I have a virtual windows on my box with samba networking the zip and a temp directory. I disconnected the network drive and broke the connection. So it looks like he was in through one of my windows machines. As long as I didn't fire up the virtual windows machine my box was shielded. If I start it up he will eventualy connect.

Last night I started scanning myself with nmap tring to figure out how he is getting in (by the way he is on a Linux box). I can't get past the router scanning unless I send ack packets, then I learn Nortons is wide open to someone who knows what they are doing.

This morning he connected direct to my linux box. I shut down all incoming to the eth0 and killed the connection. I started tcpdump and pointed at the router gateway and sure enough he shows up. I am over my head in this.. He/She was sending stuff like "awk whois Ip number" and some stuff about icmb. When I have the machine locked down he can't get in.

I think he is hijacking sessions and cruising past the router at that point.

Thats my sad story, I could use a little advice as to how to approach this. I have been reading about firewall setups and its going to take me awhile get a grip on it.

Suggestions ?