diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 5712144ad..963538f7f 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1189,7 +1189,7 @@
       DESC
     },
     toports: {
-      type: 'Optional[Pattern[/^\d+(?:-\d+)?$/]]',
+      type: 'Optional[Variant[Integer[0, 65535], Pattern[/^\d+(?:-\d+)?$/]]]',
       desc: <<-DESC
       For REDIRECT/MASQUERADE this is the port that will replace the destination/source port.
       Can specify a single new port or an inclusive range of ports.
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index 43e5ca291..e072ea625 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -144,6 +144,13 @@ class { '::firewall': }
             jump    => 'REDIRECT',
             toports => '2222',
           }
+          firewall { '575 - toports-numeric':
+            proto   => icmp,
+            table   => 'nat',
+            chain   => 'PREROUTING',
+            jump    => 'REDIRECT',
+            toports => 3333,
+          }
           firewall { '581 - pkttype':
             ensure  => present,
             proto   => tcp,
@@ -441,6 +448,10 @@ class { '::firewall': }
       expect(result.stdout).to match(%r{-A PREROUTING -p (icmp|1) -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222})
     end
 
+    it 'toports-numeric is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -p (icmp|1) -m comment --comment "575 - toports-numeric" -j REDIRECT --to-ports 3333})
+    end
+
     it 'rpfilter is set' do
       expect(result.stdout).to match(%r{-A PREROUTING -p (tcp|6) -m rpfilter --loose --validmark --accept-local --invert -m comment --comment "900 - set rpfilter" -j ACCEPT})
     end
diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
index f2f280e9f..7269b5567 100755
--- a/spec/unit/puppet/type/firewall_spec.rb
+++ b/spec/unit/puppet/type/firewall_spec.rb
@@ -507,9 +507,9 @@
                 { name: '001 test rule', tosource: 313 }]
     },
     ':toports': {
-      valid: [{ name: '001 test rule', toports: '40' }, { name: '001 test rule', tosource: '50-60' }],
-      invalid: [{ name: '001 test rule', toports: 'invalid' }, { name: '001 test rule', toports: false },
-                { name: '001 test rule', toports: 313 }]
+      valid: [{ name: '001 test rule', toports: '40' }, { name: '001 test rule', tosource: '50-60' },
+              { name: '001 test rule', toports: 313 }],
+      invalid: [{ name: '001 test rule', toports: 'invalid' }, { name: '001 test rule', toports: false }]
     },
     ':to': {
       valid: [{ name: '001 test rule', to: '10.0.0.2' }, { name: '001 test rule', to: '10.0.0.2/24' }],