[IPCop-user] Pinhole ICMP from Citrix clients?

[Alan D. <ad...@gm...>]

We have successfully configured a wireless router on Blue to provide
secure access to our internal network.  There is one DMZ Pinhole from
Blue to Green that routes to the Citrix server.  Wireless clients can
then connect to the wireless router and use the Citrix VPN client to
authenticate and gain secure access to the internal network.  This is
great!

Looking at the firewall log is see many ICMP protocol hits attempting
to go from the wireless router to the Citrix server.  In the log
snippet below "10.10.y.y" is the wireless router IP, "192.168.x.x" is
the Citrix Access Gateway IP:

Time   Chain   Iface   Proto   Source   Src Port   MAC Address
Destination   Dst Port
....
09:18:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1495
09:18:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1421
09:18:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1422
09:18:17   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1431
09:18:34   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1442
09:18:34   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1440
09:18:34   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1480
09:19:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1495
09:19:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1421
09:19:09   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1422
09:19:17   OUTPUT   eth1   ICMP   10.10.y.y   p   :::::   192.168.x.x   1431
....

The problem is that I don't want these hits filling the firewall log.
The above was from one test user connected.  We will have more than a
dozen users when we roll this out.  The log will have far too much
noise!

1. The DMZ Pinhole administration screen allows selection of TCP and
UDP protocols only, no ICMP.  I think only one of the above
destination ports needs to be opened, assuming that the other ports
are attempted only if no others work.  How do I create a Blue to Green
pinhole for ICMP?

2. If a pinhole for ICMP is not possible or too hard, how do I simply
disable logging of these firewall hits?

Thank you!

Alan