diff --git a/qubes/firewall.py b/qubes/firewall.py
index bb79ab29..c5146759 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -292,13 +292,28 @@ class Rule(qubes.PropertyHolder):
         if self.icmptype:
             self.on_set_icmptype('property-set:icmptype', 'icmptype',
                 self.icmptype, None)
+        # dependencies for forwarding
+        if self.forwardtype:
+            self.on_set_forwardtype('property-set:forwardtype', 'forwardtype',
+                self.forwardtype, None)
+        if self.srcports:
+            self.on_set_srcports('property-set:srcports', 'srcports',
+                self.srcports, None)
         self.property_require('action', False, True)
+        if self.action is 'forward':
+            self.property_require('forwardtype', False, True)
+            self.property_require('srcports', False, True)
 
     action = qubes.property('action',
         type=Action,
         order=0,
         doc='rule action')
 
+    forwardtype = qubes.property('forwardtype',
+        type=Action,
+        order=0,
+        doc='forwarding type (\'internal\' or \'external\')')
+
     proto = qubes.property('proto',
         type=Proto,
         default=None,
@@ -317,6 +332,12 @@ class Rule(qubes.PropertyHolder):
         order=2,
         doc='Destination port(s) (for \'tcp\' and \'udp\' protocol only)')
 
+    srcports = qubes.property('srcports',
+        type=DstPorts,
+        default=None,
+        order=2,
+        doc='Inbound port(s) (for forwarding only)')
+
     icmptype = qubes.property('icmptype',
         type=IcmpType,
         default=None,
@@ -363,6 +384,20 @@ class Rule(qubes.PropertyHolder):
         if newvalue not in ('icmp',):
             self.icmptype = qubes.property.DEFAULT
 
+    @qubes.events.handler('property-pre-set:forwardtype')
+    def on_set_forwardtype(self, event, name, newvalue, oldvalue=None):
+        # pylint: disable=unused-argument
+        if self.action not 'forward':
+            raise ValueError(
+                'forwardtype valid only for forward action')
+
+    @qubes.events.handler('property-pre-set:srcports')
+    def on_set_srcports(self, event, name, newvalue, oldvalue=None):
+        # pylint: disable=unused-argument
+        if self.action not 'forward':
+            raise ValueError(
+                'srcports valid only for forward action')
+
     @qubes.events.handler('property-reset:proto')
     def on_reset_proto(self, event, name, oldvalue):
         # pylint: disable=unused-argument