class firewall::implementations::shorewall::nas( $ftp = false, $tftp = false, $http = false, $nfsd = false, $rsync = false, $printer = false, $torrent = false, $mpd = false, $samba = false, $dlna = false, $daap = false, $avahi = false ) { if $ftp == true { include shorewall::rules::ftp } if $tftp == true { include shorewall::rules::tftp } if $http == true { include shorewall::rules::http } if $nfsd == true { include shorewall::rules::nfsd # Additional ports needed by NFS # Got using rpcinfo -p and netstat -ap shorewall::rule { 'nfs-1': action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', ratelimit => '-', order => 100, } shorewall::rule { 'nfs-2': action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'udp', destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', ratelimit => '-', order => 100, } } if $rsync == true { include shorewall::rules::rsync } if $printer == true { include firewall::shorewall::printer } if $torrent == true { include firewall::shorewall::torrent } if $mpd == true { include firewall::shorewall::mpd } if $samba == true { # See http://www.shorewall.net/samba.htm shorewall::rule { 'samba': action => 'SMB/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => 100, } shorewall::rule { 'netbios-1': action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => '137,138,139', ratelimit => '-', order => 100, } shorewall::rule { 'netbios-2': action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'udp', destinationport => '137,138,139', ratelimit => '-', order => 100, } } if $dlna == true { # DLNA # # https://wiki.archlinux.org/index.php/MiniDLNA # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html # http://wiki.alpinelinux.org/wiki/IPTV_How_To # http://mediatomb.cc/dokuwiki/faq:faq # http://packages.debian.org/wheezy/djmount # http://packages.debian.org/wheezy/gupnp-tools # # Optional: # # http://www.shorewall.net/UPnP.html # # linux-igd package # /etc/default/linux-igd # /etc/upnpd.conf shorewall::rule { "dlna-1": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp,udp', destinationport => "1900", ratelimit => '-', order => 102, } shorewall::rule { "dlna-2": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp,udp', destinationport => "8200", ratelimit => '-', order => 103, } shorewall::rule { "dlna-3": action => 'allowinUPnP', source => 'net', destination => '$FW', order => 104, } shorewall::rule { "dlna-4": action => 'forwardUPnP', source => 'net', destination => '$FW', order => 105, } # Enable multicast augeas { 'enable_multicast': changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall]; } } if $daap == true { # DAAP shorewall::rule { 'daap-1': source => 'net', destination => '$FW', proto => 'tcp', destinationport => '3689', order => 300, action => 'ACCEPT'; } shorewall::rule { 'daap-2': source => 'net', destination => '$FW', proto => 'udp', destinationport => '3689', order => 301, action => 'ACCEPT'; } } if $avahi == true { # Avahi/mDNS shorewall::rule { 'mdns': source => 'net', destination => '$FW', proto => 'udp', destinationport => '5353', order => 400, action => 'ACCEPT'; } } }