diff -Nru linux-2.4.20-pre10-mjc1/include/linux/netfilter_ipv4/ip_conntrack_tcp.h linux-2.4.20-pre10-mjc2/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
--- linux-2.4.20-pre10-mjc1/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	2002-10-23 22:55:31.000000000 -0400
+++ linux-2.4.20-pre10-mjc2/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	2002-10-25 00:04:00.000000000 -0400
@@ -20,8 +20,9 @@
 {
 	enum tcp_conntrack state;
 
-	/* Poor man's window tracking: sequence number of valid ACK
-           handshake completion packet */
+	/* Poor man's window tracking: expected sequence and acknowledge 
+	   number of valid ACK handshake completion packet */
+	u_int32_t handshake_seq;
 	u_int32_t handshake_ack;
 };
 
diff -Nru linux-2.4.20-pre10-mjc1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.4.20-pre10-mjc2/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- linux-2.4.20-pre10-mjc1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2002-10-23 22:55:31.000000000 -0400
+++ linux-2.4.20-pre10-mjc2/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2002-10-25 00:04:00.000000000 -0400
@@ -184,6 +184,8 @@
 	if (oldtcpstate == TCP_CONNTRACK_SYN_SENT
 	    && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
 	    && tcph->syn && tcph->ack)
+		conntrack->proto.tcp.handshake_seq
+			= tcph->ack_seq;
 		conntrack->proto.tcp.handshake_ack
 			= htonl(ntohl(tcph->seq) + 1);
 	WRITE_UNLOCK(&tcp_lock);
@@ -200,6 +202,7 @@
 		if (oldtcpstate == TCP_CONNTRACK_SYN_RECV
 		    && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL
 		    && tcph->ack && !tcph->syn
+		    && tcph->seq == conntrack->proto.tcp.handshake_seq
 		    && tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
 			set_bit(IPS_ASSURED_BIT, &conntrack->status);
 
