diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index ae1c02781..ddc19cfef 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -54,7 +54,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
 
-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -248,10 +250,10 @@ sub setup_conntrack() {
 
 		$empty = 0;
 
-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
-		    }
+		if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+		    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ) unless $1;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user );
 		} else {
 		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
 		}
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index c9fe273d7..5496269c6 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -151,10 +151,10 @@
                 </varlistentry>
 
                 <varlistentry>
-                  <term/>
+                  <term></term>
 
                   <listitem>
-                    <para/>
+                    <para></para>
                   </listitem>
                 </varlistentry>
 
@@ -250,6 +250,10 @@
           <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
           used as the <replaceable>zone</replaceable> name to mean
           <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
         </listitem>
       </varlistentry>
 
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index b2087c337..0348d3b85 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -145,6 +145,10 @@
           <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
           used as the <replaceable>zone</replaceable> name to mean
           <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
         </listitem>
       </varlistentry>