diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index ad04b97f5..44335395e 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1200,7 +1200,7 @@ sub process_rule ( $$$$$$$$$$ ) {
 		    }
 		} else {
 		    my $destzone = (split /:/, $dest)[0];
-		    $destzone = $firewall_zone unless $zones{$destzone}; # We will revalidate the destination zone in process_rule1
+		    $destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
 		    my $policychainref = $filter_table->{"${zone}2${destzone}"}{policychain};
 		    if ( $intrazone || ( $zone ne $destzone ) ) {
 			fatal_error "No policy from zone $zone to zone $destzone" unless $policychainref;
diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm
index caba81a64..64187a98e 100644
--- a/Shorewall-perl/Shorewall/Tunnels.pm
+++ b/Shorewall-perl/Shorewall/Tunnels.pm
@@ -69,27 +69,29 @@ sub setup_tunnels() {
 	    add_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
 	}
 
-	for my $zone ( split /,/, $gatewayzones ) {
-	    fatal_error "Invalid zone ($zone)" unless $zones{$zone}{type} eq 'ipv4';
-	    $inchainref  = ensure_filter_chain "${zone}2${firewall_zone}", 1;
-	    $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
-
-	    unless ( $capabilities{POLICY_MATCH} ) {
-		add_rule $inchainref,  "-p 50 $source -j ACCEPT";
-		add_rule $outchainref, "-p 50 $dest -j ACCEPT";
-
-		unless ( $noah ) {
-		    add_rule $inchainref,  "-p 51 $source -j ACCEPT";
-		    add_rule $outchainref, "-p 51 $dest -j ACCEPT";
+	unless ( $gatewayzones eq '-' ) {
+	    for my $zone ( split /,/, $gatewayzones ) {
+		fatal_error "Invalid zone ($zone)" unless $zones{$zone}{type} eq 'ipv4';
+		$inchainref  = ensure_filter_chain "${zone}2${firewall_zone}", 1;
+		$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
+		
+		unless ( $capabilities{POLICY_MATCH} ) {
+		    add_rule $inchainref,  "-p 50 $source -j ACCEPT";
+		    add_rule $outchainref, "-p 50 $dest -j ACCEPT";
+		    
+		    unless ( $noah ) {
+			add_rule $inchainref,  "-p 51 $source -j ACCEPT";
+			add_rule $outchainref, "-p 51 $dest -j ACCEPT";
+		    }
+		}
+		
+		if ( $kind eq 'ipsec' ) {
+		    add_rule $inchainref,  "-p udp $source --dport 500 $options";
+		    add_rule $outchainref, "-p udp $dest --dport 500 $options";
+		} else {
+		    add_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
+		    add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
 		}
-	    }
-
-	    if ( $kind eq 'ipsec' ) {
-		add_rule $inchainref,  "-p udp $source --dport 500 $options";
-		add_rule $outchainref, "-p udp $dest --dport 500 $options";
-	    } else {
-		add_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-		add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
 	    }
 	}
     }