So, I have a linux NAS with Transmission on it. I had a wide range of ports being forwarded to accommodate port randomization, but the NAS kept freezing. I realized that all my ports were being pinged non-stop and my router identified a bunch as DoS attacks. So, I took the NAS offline made sure UPnP was off (it wasn't!) and limited Transmission to a single port (42424). That worked great, and stopped the attacks.

I restart with some torrents and saw a bunch of [LAN access from remote] in the logs hitting my Transmission port (which is fine). To test, I decided to kill all torrents (seeds and downloads) and I still kept seeing [LAN access from remote] to that port. Okay, so then I remove port forwarding to that port and change the Transmission port to a new port... I still see [LAN access from remote] to port 42424 practically every second.

That's odd since I now longer have port forwarding to that port. So, I decide to add port 42424 to the Block Services list. Guess what, still seeing [LAN access from remote] to port 42424 every second. WTF?

Does [LAN access from remote] really not mean what I think it means (that the router is letting the external IP into that port on my NAS)? Or is it just other torrent clients who were seeding and they're still trying to ping that port (eventually they'll time out)? Why doesn't Block Services work? Am I crazy, or just stupid?

P.S. While we're at it, is there a way to cut IP addresses from the log and paste them into a block list?