We received a notice from our pci-dss auditors respecting this:
CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux.
The NVD entry for which contains this note:
CHANGE> [Cox changed vote from REVIEWING to NOOP] Cox> So I asked some kernel guys about this - it's not considered an issue. There are several other ways to identify Linux on the wire and people who care about this kind of thing rewrite their packets in various ways via firewall technology to trick the identifier programs.
So, what packet mangling may be done in iptables to solve this without breaking udp transmission? I take it that we are talking about something in the prerouting chain but what kind of mangelling is safe? Is there an example somewhere?