Ray Leach wrote: > The port unreachable ICMP replay is coming from your machine in response > to a packet coming in eth1 trying to get to 192.168.0.x ... I don't think that's correct. Take a look at the square-bracketed part of the log entry, which is (as I understand it) the packet that caused the ICMP response to be generated. 192.168.0.4 was trying to send a TCP packet *out*. The kernel then (for reasons unclear) tried to send an ICMP message back to 192.168.0.4, but sent it out the wrong interface, eth1, thus tripping my rule. -- Jordan Russell
