I've been running a few TCP-traceroutes towards some target and noticed that larger SYN packets (say, >5B TCP payload) are dropped. But only in IPv4. In IPv6 those are still delivered.
I also ran UDP- and ICMP-based traceroutes of the same sizes from the same vantage points towards the same target, and they are not dropped (neither in IPv4, nor in IPv6).
Meaning, the connectivity issue I'm seeing seems to be related to TCP/IPv4, especially for larger packets.
Does anyone know firewalls that filter large SYN packets (preferrably for IPv4)? If so, why is this done? And why not just filter all SYN packets?