diff --git a/CHANGELOG.md b/CHANGELOG.md
index dedefc13..2ec5ce9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@ This file is used to list changes made in each version of the firewall cookbook.
 
 ## Unreleased
 
+fix port sorting in generated firewall rules file
+
 ## 6.3.6 - *2024-05-06*
 
 ## 6.3.5 - *2024-05-06*
diff --git a/libraries/helpers.rb b/libraries/helpers.rb
index 497c586d..61918ead 100644
--- a/libraries/helpers.rb
+++ b/libraries/helpers.rb
@@ -11,7 +11,7 @@ def port_to_s(p)
         p.to_s
       elsif p && p.is_a?(Array)
         p_strings = p.map { |o| port_to_s(o) }
-        p_strings.sort.join(',')
+        p_strings.sort_by { |s| s.scan(/\d+/).first.to_i }.join(',')
       elsif p && p.is_a?(Range)
         if platform_family?('windows')
           "#{p.first}-#{p.last}"
diff --git a/test/fixtures/cookbooks/firewall-test/recipes/default.rb b/test/fixtures/cookbooks/firewall-test/recipes/default.rb
index f6183f5a..c3013aff 100644
--- a/test/fixtures/cookbooks/firewall-test/recipes/default.rb
+++ b/test/fixtures/cookbooks/firewall-test/recipes/default.rb
@@ -107,4 +107,9 @@
   command   :allow
 end
 
+firewall_rule 'FreeIPA ports' do
+  port %w(80 88 389 443 464 636)
+  source '10.10.10.10'
+end
+
 include_recipe 'firewall-test::windows' if windows?
diff --git a/test/integration/ufw/inspec/ufw_spec.rb b/test/integration/ufw/inspec/ufw_spec.rb
index ef5e847a..3c020837 100644
--- a/test/integration/ufw/inspec/ufw_spec.rb
+++ b/test/integration/ufw/inspec/ufw_spec.rb
@@ -10,6 +10,7 @@
   %r{ 1000:1100/tcp + ALLOW IN +Anywhere},
   %r{ 1234,5000:5100,5678/tcp + ALLOW IN +Anywhere},
   %r{ 23/tcp + LIMIT IN +Anywhere},
+  %r{ 80,88,389,443,464,636/tcp + ALLOW IN +10\.10\.10\.10},
   /# ssh22/,
 ]
 
@@ -28,3 +29,12 @@
     its(:stdout) { should match(/Status: active/) }
   end
 end
+
+describe file('/etc/default/ufw-chef.rules') do
+  it { should exist }
+  its(:size) { should > 0 }
+  its(:mode) { should cmp '0644' }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  its(:content) { should match /ufw allow in proto tcp to any port 80,88,389,443,464,636 from 10.10.10.10 comment "FreeIPA ports"/ }
+end