class firewall::vm::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') {
  shorewall::rule { 'puppetmaster-1':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:$puppetmaster_port",
    proto           => 'tcp',
    destinationport => "$puppetmaster_port",
    ratelimit       => hiera("firewall::ssl_ratelimit", '-'),
    order           => 700,
  }

  shorewall::rule { 'puppetmaster-2':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:$puppetmaster_port",
    proto           => 'udp',
    destinationport => "$puppetmaster_port",
    ratelimit       => hiera("firewall::ssl_ratelimit", '-'),
    order           => 701,
  }

  shorewall::rule { 'puppetmaster-3':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:$puppetmaster_port",
    proto           => 'tcp',
    destinationport => "$puppetmaster_port",
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => hiera("firewall::ssl_ratelimit", '-'),
    order           => 702,
  }

  shorewall::rule { 'puppetmaster-4':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:$puppetmaster_port",
    proto           => 'udp',
    destinationport => "$puppetmaster_port",
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => hiera("firewall::ssl_ratelimit", '-'),
    order           => 703,
  }

  shorewall::rule { 'puppetmaster-5':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:$puppetmaster_nonssl_port",
    proto           => 'tcp',
    destinationport => "$puppetmaster_nonssl_port",
    ratelimit       => '-',
    order           => 704,
  }

  shorewall::rule { 'puppetmaster-6':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:$puppetmaster_nonssl_port",
    proto           => 'udp',
    destinationport => "$puppetmaster_nonssl_port",
    ratelimit       => '-',
    order           => 705,
  }

  shorewall::rule { 'puppetmaster-7':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:$puppetmaster_nonssl_port",
    proto           => 'tcp',
    destinationport => "$puppetmaster_nonssl_port",
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => '-',
    order           => 706,
  }

  shorewall::rule { 'puppetmaster-8':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "$zone:$destination:$puppetmaster_nonssl_port",
    proto           => 'udp',
    destinationport => "$puppetmaster_nonssl_port",
    originaldest    => hiera('firewall::external_ip', $::ipaddress),
    ratelimit       => '-',
    order           => 707,
  }
}