From: Alan D. <ad...@gm...> - 2007-03-15 17:04:16
|
We have successfully configured a wireless router on Blue to provide secure access to our internal network. There is one DMZ Pinhole from Blue to Green that routes to the Citrix server. Wireless clients can then connect to the wireless router and use the Citrix VPN client to authenticate and gain secure access to the internal network. This is great! Looking at the firewall log is see many ICMP protocol hits attempting to go from the wireless router to the Citrix server. In the log snippet below "10.10.y.y" is the wireless router IP, "192.168.x.x" is the Citrix Access Gateway IP: Time Chain Iface Proto Source Src Port MAC Address Destination Dst Port .... 09:18:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1495 09:18:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1421 09:18:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1422 09:18:17 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1431 09:18:34 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1442 09:18:34 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1440 09:18:34 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1480 09:19:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1495 09:19:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1421 09:19:09 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1422 09:19:17 OUTPUT eth1 ICMP 10.10.y.y p ::::: 192.168.x.x 1431 .... The problem is that I don't want these hits filling the firewall log. The above was from one test user connected. We will have more than a dozen users when we roll this out. The log will have far too much noise! 1. The DMZ Pinhole administration screen allows selection of TCP and UDP protocols only, no ICMP. I think only one of the above destination ports needs to be opened, assuming that the other ports are attempted only if no others work. How do I create a Blue to Green pinhole for ICMP? 2. If a pinhole for ICMP is not possible or too hard, how do I simply disable logging of these firewall hits? Thank you! Alan |