I just finished working on a FreeBSD firewall setup. I usually use OpenBSD, but because I wanted to use 25Gbit/s networking, I went for FreeBSD as the benchmarks I found were better.
I have my firewall working, but for some reason, my OpenVPN tunnel worked only with HTTP and not HTTPS.
It was driving me crazy, but after capturing traffic, I discovered that the HTTP traffic was not fragmented, but that the HTTPS traffic (we are talking about UDP OpenVPN traffic here) was fragmented.
I forgot to set reassemble yes because with OpenBSD the PF rule was about
scrubbing and I didn't port it.
The thing is, if you have a layer 4 rule (with port number), it will not apply
to fragmented packets as they have no TCP/UDP header. When a packet gets
fragmented at the IP level, only the first fragment contains the original
TCP or UDP header with port information. Subsequent fragments only have the
IP header with fragmentation details, so firewall rules that match on port
numbers cannot inspect them properly. The set reassemble yes directive
tells PF to reassemble fragmented packets before applying rules, ensuring
that layer 4 filtering works correctly.
I knew that but forgot about it as most firewall handle this transparently now.