class firewall::virtual::tor($destination, $zone = 'fw') {
  shorewall::rule { 'tor-0':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:9001",
    proto           => 'tcp',
    destinationport => '9001',
    ratelimit       => '-',
    order           => 2100,
  }

  shorewall::rule { 'tor-1':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:9001",
    proto           => 'tcp',
    destinationport => '9001',
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => '-',
    order           => 2101,
  }

  shorewall::rule { 'tor-2':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:9030",
    proto           => 'tcp',
    destinationport => '9030',
    ratelimit       => '-',
    order           => 2102,
  }

  shorewall::rule { 'tor-3':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:9030",
    proto           => 'tcp',
    destinationport => '9030',
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => '-',
    order           => 2103,
  }
}