The /etc/rc.firewall workstation profile does not properly handle
fragmented packets. This causes problems for such services as
DNS and DNSSEC that may use fragmented packets.
The workstation profile provided by rc.firewall breaks DNSSEC. A user
who enables the local_unbound resolver or uses another DNSSEC-aware
resolver is unable to access DNSSEC hosted services. This breaks
accessing FreeBSD.org, for example.