You don't need the port under attack to be open.
If you've got any inbound services open on perimeter devices then you are at risk if vulnerabilities exist in their implementation (or your configuration thereof) and you have failed to keep your patches up to date (assuming patches exist of course).
There are some very innovative attack strategies out there that can make use of what might look to the lay-person as innocent services.... for example ICMP (a.k.a PING / TRACEROUTE etc.)..... the average Joe might not know what can be done these days with such an innocent sounding service allowed through firewalls.....
In this instance, the edge device was his HomeHub, and without the HomeHub ports open his SPF and NAT in the HomeHub would have denied all access to the NAS located on his LAN, irrespective of the ports on the NAS being open.