Can't interpret this log entry

Jason Opperisano opie at
Fri Sep 24 18:44:44 CEST 2004

On Fri, 2004-09-24 at 11:53, Eric Ellis wrote:
> I'm slightly confused about this log entry that I'm seeing pop up in my 
> syslog.
> The firewall is, on a private net.
> Sep 24 11:57:03 firewall kernel: IN=eth0 OUT= 
> MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC= DST=200.2
> 1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3 
> CODE=3 [SRC= DST= LEN=48 T
> OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
> it *almost* looks like my box is sending an ICMP query, and getting a 
> "port closed" response.  The thing that bothers me about this is that I 
> don't allow ICMP to talk on the box at all, so I shouldn't be sending 
> ICMP, or if the machine tries to, I should be getting it logged, as I'm 
> logging all of my drops.
> Confused.

it appears as though your firewall ( is receiving an ICMP
port unreachable from in response to a TCP packet it sent
(or SNAT-ed for a machine behind it).

there are those that would say that it's actually not a bad idea to
allow ICMP errors (types 3, 11, 12) into/through your firewall.  YMMV.

icmp types/codes reference:

Jason Opperisano <opie at>

More information about the netfilter mailing list