pf should block the port range allocated by net.inet.tcp.baddynamic

for the X protocol instead of port 6000 only; this way pf provides
the same protection level to all X servers.
ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking
in pf" deraadt@, "i'd thought of something similar" oga@

src/etc/pf.conf

@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.43 2009/05/30 22:18:15 henning Exp $
+#	$OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
 #
 # See pf.conf(5) for syntax and examples; this sample ruleset uses
 # require-order to permit mixing of NAT/RDR and filter rules.
@@ -30,4 +30,4 @@ pass		# to establish keep-state
 #block in quick from urpf-failed to any	# use with care
 
 # By default, do not permit remote connections to X11
-block in on ! lo0 proto tcp to port 6000
+block in on ! lo0 proto tcp to port 6000:6010