ipfilter frags question

[Mike Maltese]

> On my Linux box, I can force all fragments to be re-assembled into whole 
> packets before being presented to the firewall, and that's what I've 
> done. However, as near as I can tell, FreeBSD (5.2.1-RELEASE) doesn't 
> have that feature.
> 
> So what do I do with fragments? They are a valid part of a tcp 
> conversation, so dropping them isn't good, but neither is just accepting 
> them willy-nilly, either.

http://www.obfuscation.org/ipf/ipf-howto.html#TOC_23