class firewall::rules::out::puppet (
  String $ipset = 'puppetmaster',
  Array[Stdlib::Port] $ports = [8140],
) {

  $ports.each |$port| {
    nftables::rule { "default_out-puppet_${port}":
      content => "tcp dport ${port} ip daddr @${ipset} accept",
    }
  }
}