Adding firewall rules to Pace 5268AC...

It is not a bug.  Something is intentionally changing your firewall rules.  The firewall on the ATT modem is absolutely useless because the vulnerabilities that exist on ATT's equipment.  Think of your residential gateway as a hacked open door to the internet, just like mine, just like everyone whether they realize it or not.

There are no ATT modems currently offered that can be secured.  Get a hardware firewall and put it behind your gateway, buy a vpn and block all incoming and outgoing traffic on the firewall except the vpn traffic.  There is no combination of firewall rules that will keep you safe other than blocking everything.  Also, if you do not factory reset your pc, wipe the drives, and configure the firewall while disconnected you will still not be safe.  The malware/virus on your pc will open backdoors allowing tunnelled traffic through even if you block everything.  So you have to do it all or dont even bother.  Put anything you dont care to be secured outside the firewall as well as your wifi, it is impossible to secure wifi so either dont use it or keep it outside the firewall.  Disable wifi on all devices behind your firewall.  Devices like tv's and blueray players do not put behind the firewall either, they will used against you.  Do not get a router/wifi combo thinking the firewall on it will keep you safe, it will not.  You need a dedicated hardware firewall.  Please, express your unhappiness to ATT that their customers have to go to these lengths due to their equipment.

Thinking out loud, another approach to the above commentary, one that I cannot provide, would be illustrative. It may even include a sample model number (of course, the standard disclaimer that says the brand is not supported, etc.). It is always easy to say to say what AT&T doesn't do well, I do it myself, but let's provide solid examples or reviews of solutions as well. 

Comment with evidence to back up claims, you say?  How?!

AT&T will periodically censor us off and there go all the work at bothering to make a comment here at all (I have 4 or 5 usernames that have been banned by at&t)....the truth must not be publicized to the racket that profiteers from our hardships (but you darnwell better not be late on that payment, sonny).

It's gotten so obviously bad (the 12.xxx.xxx.xxx att-owned address that my communications must go through appear to be part or all of my problem).  I've documented it, created a webpage and host the page online (where it gets censored by another monopoly), written to the Attorney General of our state, written to consumer affairs, commented on many of the online legal sites, and more....proof our american system has crumbled by going with the monopolies is here:  usdebtclock D O T org

amen