keep-state rules inadequately handles big UDP packets or fragmented IP packets?

[Sergey Matveychuk]

Dmitriy Demidov wrote:
> Hi Luigi. Thank you for answer.
> It is a big "surprise" for me that reassembling of IP datagrams is done not *before* they go into firewall, but *after* :(

But what's wrong with it? A fragment got from net, pass firewall and 
store. After all fragments we got, OS reassembly a packet and pass it 
through firewall again.

-- 
Dixi.
Sem.