In some mail from Bernd Eckenfels, sie said:
> On Sep 16, Marek Kubita wrote
> > Firewall-1 claims to use "virtual packet defragmentation":
> > - the firewall waits for all fragments to arrive
> > - the reassembled packet is inspected by the filtering rules
> > - if passed, the fragments are sent to their destination (not the
> > reassembled packet).
> Is there a Reason for not sending the complete Packets? MTU Path Discovery?
> Hmm... shouldnt be a Problem.
If MTU path discovery isn't being used ?
The point is that the packets which get sent _out_ are the same as the
packets which are received. The firewall should not be altering packets
unless it is doing something like NAT.