In some email I received from Thor Lancelot Simon, sie wrote:
[...]
> 2) Our NAT code appears to corrupt locally-generated needs-frag ICMP
>    messages, so a NetBSD router separating, say, an MTU-1400 PPPOE link
>    and an MTU-1500 Ethernet will create a Path MTU blackhole.  I have an
>    open PR on this, but I last time I looked I couldn't figure out how
>    checksum regeneration for locally-generated ICMP messages was *supposed*
>    to work, so I couldn't fix it.  
> 
> Bug #2 above is really serious and is probably responsible for many users'
> complaints about PPPOE and Path MTU.  With it fixed, we "shouldn't need a
> terrible hack like MSS clamping; with it there, we probably do.

I hope that this is a symptom of it being a fairly old version and that it
is fixed in the current code.  IPFilter 3.4.22 is the current revision:
http://coombs.anu.edu.au/~avalon/ip-filter.html

Of course, releng aren't interested in seeing it merged onto the 1.5 branch
(according to the last comment from them) either.

Darren