Does anyone has a definitive list of exactly what the DMZ mode will pass and what is silently intercepted by the CNG3ACSMR?
I set up a Linux system behind the modem and assigned it as the DMZ host. Then I ran a complete network sweep of the posts 1 to 1023 to it. Running tcpdump showed that some ports were getting through but there were a lot that seem to problematic, including the SSH port 22, which never arrived. This is the list that I have doscovered that seem to not work in DMZ mode.
PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet 80/tcp filtered http 111/tcp filtered rpcbind 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 443/tcp filtered https 445/tcp filtered microsoft-ds 513/tcp filtered login 520/tcp filtered unknown
The CNG3ACSMR built in help for the DMZ mode however states the following.
DMZ allows the selected computer to bypass the firewall features of the gateway and permits unrestricted access from the Internet to that computer. If there is a local client PC that cannot run an Internet application properly behind the NAT firewall, that client can be set up to unrestricted two-way Internet access by setting them to be the DMZ Host. Adding clients to the DMZ (Demilitarized Zone) may expose the local network to a variety of security risks, so please use this setting with care."
Can anyone clarify? Are these blocks not in the modem but higher up in the Rogers network? It's possible that 80 and 443 are being redirected via dynamic port forwarding rules, but none of the others are in the port forwarding tables.
I have done some further extensive testing, with the router still in gateway mode but with all port forwarding disabled and the firewall completely turned off, by using the firewall "custom" setting. I have managed to reduce the number of ports over which I appear to have absolutely no control to these.
PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn
The lack of SSH is the real killer... The rest I couldn't really care less about. I strongly suspect that SSH is blocked in the modem and wonder if that block can be removed on a case by case basis?