I am not sure about the fragmentation option: -f. I understand that this flag is not needed "if you use connection tracking".
But what exactly is meant by "if you use connection tracking" ? Does it mean: "if the ip_conntrack module is loaded", or does it mean: "if you have rules using NEW, ESTABLISHED etc" ? And is it correct that, in that case, all fragmented packets will be unfragmented before they hit any chains, so I will not see any unfragmented packets anyway? And in case I do need to use the -f option, then in which chains and in which rules? BTW: I am using iptables v1.2.1a. Jan Humme.
