define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
  shorewall::rule { "ssh-$name-1":
    action          => 'DNAT',
    source          => 'net',
    destination     => $port_dest ? {
      ''      => "$zone:$destination",
      default => "$zone:$destination:$port_dest",
    },
    proto           => 'tcp',
    destinationport => "$port_orig",
    ratelimit       => '-',
    order           => "2$port_orig",
  }

  shorewall::rule { "ssh-$name-2":
    action          => 'DNAT',
    source          => '$FW',
    destination     => $port_dest ? {
      ''      => "fw:$destination",
      default => "fw:$destination:$port_dest",
    },
    proto           => 'tcp',
    destinationport => "$port_orig",
    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
    ratelimit       => '-',
    order           => "2$port_orig",
  }
}