Packet fragments
As per RFC 6192, all packets fragments are dropped unless a stateful firewall has been configured to permit the packets. This is to avoid a possible denial of service attack.
For one example of filtering traffic of fragmented packets, see "Filtering on Source IP Address”.