diff --git a/qubes/firewall.py b/qubes/firewall.py
index 6011a659..a89e3eee 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -694,7 +694,10 @@ class Firewall:
         directly separate forwarding rules from standard rules since they need
         to be handled differently later.
         '''
-        entries = {}
+        entries = {
+            "internal": [],
+            "external": []
+        }
         if addr_family is not None:
             exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
         for ruleno, rule in zip(itertools.count(), self.rules):
@@ -706,5 +709,10 @@ class Firewall:
             # include only forwarding rules
             if rule.action != "forward":
                 continue
-            entries['{:04}'.format(ruleno)] = rule.rule
+            if rule.forwardtype == "internal":
+                entries["internal"]['{:04}'.format(ruleno)] = rule.rule
+            elif rule.forwardype == "external":
+                entries["external"]['{:04}'.format(ruleno)] = rule.rule
+            else:
+                raise ValueError('invalid forwardtype for rule')
         return entries