diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 0e8b582bb..a42582f0f 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -173,6 +173,7 @@ our %EXPORT_TAGS = (
 				       do_tos
 				       do_connbytes
 				       do_helper
+				       validate_helper
 				       do_headers
 				       do_condition
 				       have_ipset_rules
@@ -558,19 +559,16 @@ sub initialize( $$$ ) {
 
     %ipset_exists       = ();   
 
-    %helpers = ( amanda          => 1,
-		 ftp             => 1,
-		 h323            => 1,
-		 irc             => 1,
-		 netbios_ns      => 1,
-		 netlink         => 1,
-		 proto_gre       => 1,
-		 proto_sctp      => 1,
-		 pptp            => 1,
-		 proto_udplite   => 1,
-		 sane            => 1,
-		 sip             => 1,
-		 tftp            => 1 );
+    %helpers = ( amanda          => TCP,
+		 ftp             => TCP,
+		 h323            => UDP,
+		 irc             => TCP,
+		 netbios_ns      => UDP,
+		 pptp            => TCP,
+		 sane            => TCP,
+		 sip             => UDP,
+		 snmp            => UDP,
+		 tftp            => UDP);
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
     #
@@ -4004,22 +4002,49 @@ sub do_connbytes( $ ) {
 }
 
 #
-# Create a soft "-m helper" match for the passed argument
+# Validate a helper/protocol pair
+#
+sub validate_helper( $;$ ) {
+    my ( $helper, $proto ) = @_;
+    my $helper_base = $helper;
+    $helper_base =~ s/-\d+$//;
+
+    my $helper_proto = $helpers{$helper_base};
+
+    if ( $helper_proto) {	    
+	#
+	#  Recognized helper
+	#
+	if ( supplied $proto ) {
+	    my $protonum = -1;
+
+	    unless ( $proto eq '-' ) {
+		fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );	
+	    }
+
+	    unless ( $protonum == $helper_proto ) {
+		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
+	    }
+	}
+    } else {
+	fatal_error "Unrecognized helper ($helper_base)";
+    }
+}
+
+#
+# Create an "-m helper" match for the passed argument
 #
 sub do_helper( $ ) {
     my $helper = shift;
 
     return '' if $helper eq '-';
 
-    my $helper_base = $helper;
-
-    $helper_base =~ s/-\d+$//;
-
-    warning_message "Unrecognized helper ($helper)" unless $helpers{$helper_base};
+    validate_helper( $helper );
 
     qq(-m helper --helper "$helper" ) if defined wantarray;
 }
 
+
 #
 # Create a "-m length" match for the passed LENGTH
 #
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index cebf8a147..a2ea833a7 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -76,7 +76,7 @@ sub process_notrack_rule( $$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		fatal_error "A protocol protocol is required in CT:helper rules" if $proto eq '-'; 
-		do_helper( $args );
+		validate_helper( $args, $proto );
 		$action = "CT --helper $args";
 		$exception_rule = do_proto( $proto, '-', '-' );
 	    } elsif ( $option eq 'ctevents' ) {