I've got a BM3.8 box with static & dynamic NAT and a Citrix server behind it
on our internal network.

I've got generic TCP & UDP forwarding proxy set for ports 1494 and 1604 from
the public BM IP address to the Citrix server on an internal IP address.

I have all the filters set exactly as per Craig's book but people can only
connect from the outside if I lower the filters.

What the heck can I be doing wrong?