DMZ host validation error and strange behaviour

[throughwalls]

I am running 1.4.2. I have a default DHCP subnet of 192.168.1.xxx

Bug report:
I tried setting up a DMZ host (Firewall menu, Port Forwarding page). When I typed 192.168.1.255, the validation code makes it glow red and refuses to allow it. When I choose 192.168.1.254, it is happily accepted. I assume this is a field validation error. Or is there some reason .255 is not allowed?

And then strange behaviour:
I actually have no machine with either DMZ IP address. So what happens?

I was reading a previous thread on grc.com "stealth" and Gargoyle. When I normally do the scan normally (no DMZ defined) you get a few ports in green "stealth mode" (maybe that is my ISP?) and most ports in blue "closed mode".

When I do a scan with this non-existent DMZ host defined, I get very odd almost random port behaviour.

grcScanWithDMZ.PNG (32.75 KiB) Viewed 7719 times

Is the router dealing with those decisions, or is something else happening?

I had, a while ago tried this on another router, and everything "looked" like it was in stealth mode.

I realize I do not want to leave this DMZ defined, but I wonder about the results.

[DoesItMatter]

Yes, there are restrictions on using .0 and .255 for an IP

You're usually using .1 thru .254 as normal IP's

Firewall rules are NOT dependent on a machine existing with that IP

You can set up any IP's, even if not being used currently.

Don't worry about the Stealth mode.

As long as the ports show closed, that's good.

Open ports - yes, take care of those as soon as possible.

If you read more about stealth ports, you will see that if you are under
attack from hosts, stealth can actually slow down your connection.

It's actually better for your connection to reject the packets.

Why are you messing with the DMZ?

DMZ is usually used for 1 specific PC that you want to connect
directly to the internet - usually for a server that you want
FTP / HTTP access. When doing that though, you need to make
sure that there is a firewall on that PC that you can define the
rules yourself. DMZ bypasses any other firewall rules you
configure or setup in the router.

Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.

[throughwalls]

Yes, there are restrictions on using .0 and .255 for an IP

You're usually using .1 thru .254 as normal IP's

Interesting. I did not know this. And so I find http://en.wikipedia.org/wiki/IPv4#Addre ... n_0_or_255

Why are you messing with the DMZ?

...

Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.

Normally I have no DMZ definited as I provide no steady service to the outside world. But I wanted to test and see what happened. It was reverted as soon as I sent the earlier message.

[throughwalls]

Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.

This does not make sense to me.

If I configure a DMZ machine and it happens to be powered off (or in this case non-existent), why would the packets be routed somewhere else? And to a random destination?

And why, in the picture above, is there no consistent behaviour for the ports tested? I have never seen a machine with such random results, including a stretch of a few rows of solid green.

[DoesItMatter]

Here is a port-scan from grc.com with a default config.

All I did is setup the wireless.

No firewall rules, etc.

I suggest to try and reset your router to defaults and do a test first.

Then configure any firewall rules, etc.

[throughwalls]

I fully understand the results you posted the picture of. I get (almost) the same results, with the exception that my ISP seems to block some different ports.

But I still do not understand the results from my original picture, when I have a DMZ host specified which is not available on the network. Who is receiving those packets?

[DoesItMatter]

I fully understand the results you posted the picture of. I get (almost) the same results, with the exception that my ISP seems to block some different ports.

But I still do not understand the results from my original picture, when I have a DMZ host specified which is not available on the network. Who is receiving those packets?

It should be the router. The router is sending all the network traffic
to some host that matches the IP.

But if no IP exists, it seems the router itself, or maybe your modem,
is answering those probes.

Set the DMZ to one of your machines, then re-do the test.