diff --git a/Shorewall/firewall b/Shorewall/firewall
index 3b5f29a9f..2cd4856d5 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -200,7 +200,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
-	run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
+	[ -z "$NEWNOTSYN" ] && \
+	    run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
     fi
 
     eval ${1}_exists=Yes
@@ -2726,12 +2727,14 @@ initialize_netfilter () {
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
     
-    createchain newnotsyn no
-    run_user_exit newnotsyn
-    [ -n "$LOGNEWNOTSYN" ] && \
-	run_iptables -A newnotsyn -j LOG \
-	--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
-    run_iptables -A newnotsyn -j DROP	
+    if [ -z "$NEWNOTSYN" ]; then
+	createchain newnotsyn no
+	run_user_exit newnotsyn
+	[ -n "$LOGNEWNOTSYN" ] && \
+	    run_iptables -A newnotsyn -j LOG \
+	    --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
+	run_iptables -A newnotsyn -j DROP
+    fi	
 
     createchain icmpdef no
     createchain common	no
@@ -3408,6 +3411,7 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
+    NEWNOTSYN=
     LOGNEWNOTSYN=
     FORWARDPING=
     stopping=
@@ -3487,6 +3491,7 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
     FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
+    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
 }
 
 ################################################################################
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index adef919b5..647d5361f 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -339,6 +339,8 @@ MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
+# This variable only has an effect when NEWNOTSYN=No (see below).
+#
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
@@ -357,4 +359,21 @@ LOGNEWNOTSYN=
 
 FORWARDPING=Yes
 
+#
+# NEWNOTSYN
+#
+# If this variable is set to "No" or "no", then When a TCP packet that does
+# not have the SYN flag set and the ACK and RST flags clear then unless the
+# packet is part of an established connection, it will be rejected by the
+# firewall
+#
+# If this variable is set to "Yes" or "yes" then such packets will not be
+# rejected but will pass through the normal rule processing.
+#
+# Users with a High-availability setup with two firewall's and one acting
+# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
+# also need to select NEWNOTSYN=Yes.
+ 
+NEWNOTSYN=No
+
 #LAST LINE -- DO NOT REMOVE