diff -Nru linux-2.4.20/net/ipv4/netfilter/ipt_unclean.c linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.20/net/ipv4/netfilter/ipt_unclean.c	2002-11-28 17:53:15.000000000 -0600
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_unclean.c	2003-05-02 13:00:31.000000000 -0500
@@ -521,6 +521,16 @@
 		return 0;
 	}
 
+	/* CHECK: Do not use what is unused.
+	 * First bit of fragmentation flags should be unused.
+	 * May be used by OS fingerprinting tools.
+	 * 04 Jun 2002, Maciej Soltysiak, solt@dns.toxicfilms.tv
+	 */
+	if (ntohs(iph->frag_off)>>15) {
+		limpk("IP unused bit set\n");
+		return 0;
+	}
+
 	/* Per-protocol checks. */
 	switch (iph->protocol) {
 	case IPPROTO_ICMP:
