class firewall::nas {
  # Basic firewall rules
  include shorewall::rules::ftp
  include shorewall::rules::tftp
  include shorewall::rules::http
  include shorewall::rules::nfsd
  include shorewall::rules::rsync
  include firewall::printer
  include firewall::torrent
  include firewall::mpd

  # Additional ports needed by NFS
  # Got using rpcinfo -p and netstat -ap
  shorewall::rule { 'nfs-1':
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
    ratelimit       => '-',
    order           => 100,
  }

  shorewall::rule { 'nfs-2':
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'udp',
    destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
    ratelimit       => '-',
    order           => 100,
  }

  # See http://www.shorewall.net/samba.htm
  shorewall::rule { 'samba':
    action          => 'SMB/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => 100,
  }

  shorewall::rule { 'netbios-1':
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => '137,138,139',
    ratelimit       => '-',
    order           => 100,
  }

  shorewall::rule { 'netbios-2':
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'udp',
    destinationport => '137,138,139',
    ratelimit       => '-',
    order           => 100,
  }

  # DLNA
  #
  # https://wiki.archlinux.org/index.php/MiniDLNA
  # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
  # http://wiki.alpinelinux.org/wiki/IPTV_How_To
  # http://mediatomb.cc/dokuwiki/faq:faq
  # http://packages.debian.org/wheezy/djmount
  # http://packages.debian.org/wheezy/gupnp-tools
  #
  # Optional:
  #
  # http://www.shorewall.net/UPnP.html
  #
  #   linux-igd package
  #   /etc/default/linux-igd
  #   /etc/upnpd.conf

  shorewall::rule { "dlna-1":
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp,udp',
    destinationport => "1900",
    ratelimit       => '-',
    order           => 102,
  }

  shorewall::rule { "dlna-2":
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp,udp',
    destinationport => "8200",
    ratelimit       => '-',
    order           => 103,
  }

  shorewall::rule { "dlna-3":
    action          => 'allowinUPnP',
    source          => 'net',
    destination     => '$FW',
    order           => 104,
  }

  shorewall::rule { "dlna-4":
    action          => 'forwardUPnP',
    source          => 'net',
    destination     => '$FW',
    order           => 105,
  }

  # Enable multicast
  augeas { 'enable_multicast':
    changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
    lens    => 'Shellvars.lns',
    incl    => '/etc/shorewall/shorewall.conf',
    notify  => Service[shorewall];
  }

  # DAAP
  shorewall::rule { 'daap-1':
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => '3689',
    order           => 300,
    action          => 'ACCEPT';
  }

  shorewall::rule { 'daap-2':
    source          => 'net',
    destination     => '$FW',
    proto           => 'udp',
    destinationport => '3689',
    order           => 301,
    action          => 'ACCEPT';
  }

  # Avahi/mDNS
  shorewall::rule { 'mdns':
    source          => 'net',
    destination     => '$FW',
    proto           => 'udp',
    destinationport => '5353',
    order           => 400,
    action          => 'ACCEPT';
  }
}