Just upgraded a bridging firewall from 10.0 to 10.1-RELEASE-p5. The first rule is:
reass all from any to any in
The only time I receive fragmented UDP packets is when my DNS server attempts to resolve www.freebsd.org, as it returns large UDP packets which are fragmented over my broadband connection:
17:09:54.182826 IP 184.108.40.206.49514 > 220.127.116.11.53: 36047 [1au] A? wfe0.ysv.freebsd.org. (49)
17:09:54.202100 IP 18.104.22.168.53 > 22.214.171.124.49514: 36047*- 2/4/11 A 126.96.36.199, RRSIG (1424)
I added the reass rule in 10.0 and it's been working perfectly. I upgraded to 10.1-RELEASE-p5 and everything else works as expected except that www.freebsd.org does not resolve.
allow ip from any to any frag
...just after the check-state rule, and that fixed the problem (but only after the reass rule was first deleted).
It seems that the reass rule is absorbing fragments but not passing them perhaps. This bridging firewall only sees IPv4 traffic. Tcpdump shows the response packet on the external interface and the bridge interface, but not the internal interface.
A sanitised version of the rules are here: http://rdls.net/dl/bridge/rc.firewall.local
FreeBSD motoko.rdls.net 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 08:55:07 UTC 2015 email@example.com:/usr/obj/usr/src/sys/GENERIC amd64