STOP OPENING PORTS TO THINGS THAT DON'T NEED PORTS OPEN!
Seriously, nothing to do with the firmware or whatever... what the hell is a NAS with those kinds of documents doing handling raw packets from the Internet?
I *BET* this is a UPnP thing too... where the box just says "Hey, open all these ports and point them at me" and people's stupid networks just obey blindly without any notification.
Firewalls are supposed to work BOTH WAYS people. Not letting in anyone who shouldn't be in, not letting anything talk out that shouldn't be out, and NOT blindly doing so automatically or operated by someone who just cuts holes in the damn thing unthinkingly "to make everything work".
An analogy I use... every port-forward is like drilling a hole in your marble worktop, or punching a hole through your house's outer wall. Sure, you have to do so occasionally. Of course it's necessary for some parts to work (e.g. taps). But you don't go drilling more and more and more holes just because it makes it easier for the electrician, and you don't make the holes any larger than necessary and, when you're done with that hole, you fill it back in.
I have less ports forwarded (never just open, but forwarded to another machine on an enclosed VLAN) than almost anyone else in the same industry as me, and yet I offer far more services on-site than anyone else in the same position.
Unless you are running, deliberately running, a server on a well-known port, you do not open (incoming) ports. And you disable UPnP on any gateway device immediately upon receipt (clients can request UPnP all day long from their UPnP services if they like, but it's the gateway that actually acts upon them).
And all "servers" should be treated as such - updates, security, authentication, least-privilege, auditing, logging, and where possible proxying between them and the outside world too. (I once get marked down in a security audit involving an external penetration test because they were unable to query my webservers directly as they all showed up as a Squid/Apache reverse proxy. "Obviously" that stopped them being able to look for version strings and query vulnerability to ridiculous URL constructions like "../../../.." etc. so they marked me down... despite the fact that that's *precisely* why that's in place)
Biting the hand that feeds IT
