From LinuxSecurity.com: When matching a packet fragment, insufficient checks were performed
to ensure the fragment is valid. In addition, the fragment cache is
checked before any rules are checked. Even if all fragments are
blocked with a rule, fragment cache entries can be created by
packets that match currently held state information. Because of
these discrepancies, certain packets may bypass filtering rules.
All versions of FreeBSD prior to the correction date, including
FreeBSD 3.5.1 and 4.2, contain this problem.