> It's not the ICMP that is being prohibited. Understood, that's clear from the packet trace.
> is an ICMP "host unreachable" response from .250. The extended reason > for the unreachability is that there is an administrative policy > preventing the traffic. It almost certainly *is* a firewall that's > preventing this, one with a REJECT target, as REJECT specifies to > return an ICMP unreachable packet. Most firewalls i've seen send a spoofed TCP reset, not an ICMP when rejecting TCP. However, iptables can do either. I have run iptables -F and the tables are shown as clear with iptables -L. proxy vhosts.d # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (0 references) target prot opt source destination Chain fail2ban-apache (0 references) target prot opt source destination proxy vhosts.d # > I suggest that you look more > closely at the firewalling on .250. If there is definitely no > firewalling going on (ie iptables -nvL shows only default policies and > the default is ACCEPT for INPUT and OUTPUT chains) then could there be > an intervening network device? The devices are connected, there's only a switch between them (a billion ADSL router).