Yeah there is Klingon. Here's my config:
config perm_rule
option comment 'Allow PS4'
option ext_ports '0-65535'
option int_ports '0-65535'
option action 'allow'
option int_addr '192.168.1.x/24'
config perm_rule
option action 'deny'
option ext_ports '0-65535'
option int_addr '0.0.0.0/0'
option int_ports '0-65535'
option comment 'Deny UPnP Requests'
config upnpd 'config'
option download '1024'
option upload '512'
option internal_iface 'lan'
option port '5000'
option upnp_lease_file '/var/upnp.leases'
option enabled '1'
option uuid 'x'
192.168.1.x/24 is the static IP Address of your Xbox outside the DHCP range. Make sure you have Secure Mode enabled. This means that only the IP asks for the port forwarded will be forwarded to (i.e. 192.168.1.10 can't ask for 192.168.1.20). Any other devices on your LAN will not receive a port forward when asked through UPnP.
As far as security goes, at this point it is highly unlikely your Xbox has or will get malware on it, so not much need to worry in that aspect. As far as flash request goes on your PC's via UPnP, well those are blocked because they're IP is not that of your Xbox, as we are blocking all other IP's from requesting. Yes, packets can be spoofed, but even if they are spoofed to open ports to your Xbox's IP, what will this accomplish? Most likely nothing. At this point in order to open ports via UPnP to your PC if malware is on it, the malware has to either break in to the router and switch the address reserved for your Xbox with your PC. Highly unlikely. Or spoof the PC's MAC Address to the Xbox's Mac Address and acquire the Xbox's IP. If the malware is smart enough to do this, it is possible it could have a built in mechanism as well to check for any port forwards and could spoof to any device that has an open port available to it and dynamically change the malicious service to run on that port as well. Regardless, if UPnP is enabled or disabled.
There are security risks when any port is opened by either forwarding or UPnP. The key is to do what you can to mitigate the risks and be vigilant and cautious when it comes to opening files and visiting sites on your PC. This UPnP setup is much more secure because the Xbox device is the only one that can request a forward via UPnP. In general, gaming consoles, when running stock firmware without homebrew and modifications, do not present a risk of malicious programs infecting them or services being exploited remotely. Thus, it's safe for them to be allowed UPnP request.
Consoles generally have a list of what ports need forwarding for smooth operation. However, I have seen my share of games that require certain ports outside the typically used ports to function without hiccups. With different games and gaming manufacturers using different ports it is hard to keep up with all the different ports you need to forward for a specific game to run smoothly online.