diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 3ec70e334..75253417f 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1751,6 +1751,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
 	fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
+	fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
     }
 
     if ( $actiontype & NATONLY ) {
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 45b9692b7..528c894d7 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -406,6 +406,8 @@ sub process_tc_rule( ) {
 	}
     }
 
+    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || $chain eq 'tcout' ); 
+
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .