diff --git a/CHANGELOG b/CHANGELOG
index ce9eaaedb..4a6aca6a3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,12 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Added EPROTO to the list of known error codes in service scan. Daniel
+  Miller reported that an EPROTO was causing Nmap to exit after sending
+  the Sqlping probe during service scan. The error message was
+  "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
+  error)". We suspect this was caused by a forged ICMP packet sent by an
+  active firewall.
+
 o [NSE] The dns-recursion script now marks the port when it gets a
   response. This is a patch from Olivier M.
 
diff --git a/service_scan.cc b/service_scan.cc
index bdd7b59ed..876dff1ad 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -2268,6 +2268,10 @@ static void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *myda
 #ifndef WIN32
     case EPIPE:
 #endif
+    case EPROTO:
+      // EPROTO is suspected to be caused by an active IDS/IPS that forges ICMP
+      // type-12 errors ("Parameter problem"). It's been seen in response to the
+      // Sqlping probe.
     case EIO:
       // Usually an SSL error of some sort (those are presently
       // hardcoded to EIO).  I'll just try the next probe.