SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some hosts

I don't know about NetBSD, but Linux has a kernel option "IP: Always
Defragment", when setting up your box for routing or filtering.

The main reason one would do this would be to prevent hosts inside their
firewall from being attacked with the various IP-fragment DoS attacks
against MS Windows machines.