diff --git a/qubesadmin/tests/tools/qvm_firewall.py b/qubesadmin/tests/tools/qvm_firewall.py
index bb38350..1549501 100644
--- a/qubesadmin/tests/tools/qvm_firewall.py
+++ b/qubesadmin/tests/tools/qvm_firewall.py
@@ -96,6 +96,17 @@ class TC_00_RuleAction(qubesadmin.tests.QubesTestCase):
                 qubesadmin.firewall.Rule(
                     None, action='accept', dsthost='127.0.0.1/32'))
 
+    def test_007_none_errors(self):
+        ns = argparse.Namespace()
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=', 'action=accept'])
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=127.0.0.1', 'dstports=',
+                                   'action=accept'])
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=127.0.0.1', 'icmptype=',
+                                   'action=accept'])
+
 
 class TC_10_qvm_firewall(qubesadmin.tests.QubesTestCase):
     def setUp(self):
diff --git a/qubesadmin/tools/qvm_firewall.py b/qubesadmin/tools/qvm_firewall.py
index 15df6a1..979fd6b 100644
--- a/qubesadmin/tools/qvm_firewall.py
+++ b/qubesadmin/tools/qvm_firewall.py
@@ -48,6 +48,9 @@ class RuleAction(argparse.Action):
         allowed_opts = assumed_order + ['specialtarget', 'comment', 'expire']
         kwargs = {}
         for opt in values:
+            if opt[-1] == '=':
+                raise argparse.ArgumentError(
+                    None, 'invalid rule description: {}'.format(opt))
             opt_elements = opt.split('=')
             if len(opt_elements) == 2:
                 key, value = opt_elements