> isn't there a possibility (an event) to recognize icmp requests dropped > by the firewall. Do you mean ICMP unreachables with "administratively prohibited" as the subcode? Those should generate icmp_unreachable events *if* the firewall is configured to send the ICMPs (it might instead just silently drop). Vern