diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 3b44daf5fb3e02fe230d4d56ca2b49d321896d9d..8d435ff3a749aabd85ca89e1632c2d48abae6be8 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -136,8 +136,15 @@ function configure_firewall {
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 
+    # Drop invalid packets
+    iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
+
     # Make sure incoming tcp connections are SYN packets
     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+    iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
+
+    # Drop SYN packets with suspicious MSS value
+    iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
 
     # Drop packets with incoming fragments
     iptables -A INPUT -f -j DROP