diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index b3698ee48..03e71367e 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2191,7 +2191,20 @@ determine_capabilities() {
 	qt $g_tool -t raw -X $chain
 	qt $g_tool -t raw -N $chain
 	
-	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
+	if qt $g_tool -t raw -A $chain -j CT --notrack; then
+	    CT_TARGET=Yes;
+
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -J CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	fi
 
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain	   
@@ -2246,16 +2259,25 @@ determine_capabilities() {
     qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
 
-    qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda     && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
-    qt $g_tool -A $chain -p tcp --dport 21    -m helper --helper ftp        && HELPER_MATCH=Yes && FTP_HELPER=Yes
-    qt $g_tool -A $chain -p udp --dport 1719  -m helper --helper RAS        && HELPER_MATCH=Yes && H323_HELPER=Yes
-     $g_tool -A $chain -p tcp --dport 6667  -m helper --helper irc        && HELPER_MATCH=Yes && IRC_HELPER=Yes
-    qt $g_tool -A $chain -p udp --dport 137   -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
-    qt $g_tool -A $chain -p tcp --dport 1729  -m helper --helper pptp       && HELPER_MATCH=Yes && PPTP_HELPER=Yes
-    qt $g_tool -A $chain -p tcp --dport 6566  -m helper --helper sane       && HELPER_MATCH=Yes && SANE_HELPER=Yes
-    qt $g_tool -A $chain -p udp --dport 5060  -m helper --helper sip        && HELPER_MATCH=Yes && SIP_HELPER=Yes
-    qt $g_tool -A $chain -p udp --dport 161   -m helper --helper snmp       && HELPER_MATCH=Yes && SNMP_HELPER=Yes
-    qt $g_tool -A $chain -p udp --dport 69    -m helper --helper tftp       && HELPER_MATCH=Yes && TFTP_HELPER=Yes
+    #
+    # -m helper doesn't verify the existence of the specified helper :-(
+    #
+    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
+	HELPER_MATCH=Yes
+
+	if [ -z "$CT_TARGET" ]; then
+	    AMANDA_HELPER=Yes
+	    FTP_HELPER=Yes
+	    H323_HELPER=Yes
+	    IRC_HELPER=Yes
+	    NS_HELPER=Yes
+	    PPTP_HELPER=Yes
+	    SANE_HELPER=Yes
+	    SIP_HELPER=Yes
+	    SNMP_HELPER=Yes
+	    TFTP_HELPER=Yes
+	fi
+    fi
 
     qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
diff --git a/docs/Helpers.xml b/docs/Helpers.xml
index 41be054d8..2a8f1aef5 100644
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -240,7 +240,7 @@
     <title>Shorewall Support for Helpers</title>
 
     <para>Shorewall includes support for helpers is several areas. These areas
-    are covered in the sections below. </para>
+    are covered in the sections below.</para>
 
     <section>
       <title>Module Loading</title>
@@ -287,9 +287,10 @@
             <para>This option was added in Shorewall 4.5.7 and lists the
             modules to be enabled for association with connections. This
             option is fully functional only on systems running kernel 3.5 or
-            later. On systems running earlier kernels, the only way to totally
-            disable a module is to not load it. The module names allowed in
-            this list are <emphasis role="bold">amanda</emphasis>, <emphasis
+            later.</para>
+
+            <para>The module names allowed in this list are <emphasis
+            role="bold">amanda</emphasis>, <emphasis
             role="bold">ftp</emphasis>, <emphasis role="bold">h323</emphasis>,
             <emphasis role="bold">irc</emphasis>, <emphasis
             role="bold">netbios-ns</emphasis>, <emphasis
@@ -308,6 +309,33 @@
       </filename>and modify the copy. That way, your changes won't be
       overwritten the next time that Shorewall is updated on your
       system.</para>
+
+      <para>On systems running a a kernel earlier than 3.5, not all of the
+      helpers can be totally disabled. The following modules can be disabled
+      by using the parameter <emphasis role="bold">ports=0</emphasis> in
+      /etc/shorewall/helpers:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>ftp</para>
+        </listitem>
+
+        <listitem>
+          <para>irc</para>
+        </listitem>
+
+        <listitem>
+          <para>sane</para>
+        </listitem>
+
+        <listitem>
+          <para>sip</para>
+        </listitem>
+
+        <listitem>
+          <para>tftp</para>
+        </listitem>
+      </itemizedlist>
     </section>
 
     <section>