Just a little more on this fragments thing.... In Atguard, fragment blocking was not configurable in the GUI. You needed to add a registry entry: BlockIPFragments In NIS/NPF (??-2005-??), the recommended setting was to allow fragments unless they resembled an attack. In ZAPlus 4.5.594, fragment blocking is OFF by default, although it can be turned on. In other firewalls?..... Did the designers of these other firewalls (some still getting more extensive use than Kerio 2.1.5) look at this as something that could cause problems if blocked by default, did they view it as unnecessary, or just not know any better?