diff --git a/STABLE/firewall b/STABLE/firewall
index e4d222888..3ee873ae0 100755
--- a/STABLE/firewall
+++ b/STABLE/firewall
@@ -3326,6 +3326,12 @@ add_common_rules() {
 	run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE        $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
+	#
+	# A Shorewall user reported seeing outgoing SYN ACK packets with DPT=0
+	# That prompted me to add the following which will stop an incoming
+	# SYN with SPT=0
+	#
+	run_iptables -A tcpflags -p tcp --syn --sport 0             $disposition
 	
 	for interface in $interfaces; do
 	    for chain in `first_chains $interface`; do