diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 8a41f99a9506..26f4a0463bd5 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -1236,7 +1236,6 @@ ip_fw_chk(struct ip_fw_args *args)
 		/* Check if rule only valid for bridged packets */
 		if ((f->fw_flg & IP_FW_BRIDGED) != 0 && !(BRIDGED))
 		    continue;
-#undef BRIDGED
 
 		if (oif) {
 		    /* Check direction outbound */
@@ -1628,6 +1627,11 @@ ip_fw_chk(struct ip_fw_args *args)
 	    && (proto != IPPROTO_ICMP || is_icmp_query(ip))
 	    && !((*m)->m_flags & (M_BCAST|M_MCAST))
 	    && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+		/* Must convert to host order for icmp_error() etc. */
+		if (BRIDGED) {
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+		}
 		switch (f->fw_reject_code) {
 		case IP_FW_REJECT_RST:
 		    {
@@ -1670,6 +1674,7 @@ ip_fw_chk(struct ip_fw_args *args)
 	 * Finally, drop the packet.
 	 */
 	return(IP_FW_PORT_DENY_FLAG);
+#undef BRIDGED
 }
 
 /*
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 1e2b84e98373..57155874973b 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -1136,9 +1136,15 @@ static void
 send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
 {
 
-	if (code != ICMP_REJECT_RST) /* Send an ICMP unreach */
+	if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
+		/* We need the IP header in host order for icmp_error(). */
+		if (args->eh != NULL) {
+			struct ip *ip = mtod(args->m, struct ip *);
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+		}
 		icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
-	else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
+	} else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
 		struct tcphdr *const tcp =
 		    L3HDR(struct tcphdr, mtod(args->m, struct ip *));
 		if ( (tcp->th_flags & TH_RST) == 0)