Change the default PF policy to "block return", including x11 as

suggested by naddy@.  This solves the problem that occurs when a
server crashes or is hard booted and comes back up without tearing
down any connections to it, and packets from these connections don't
match any existing state or rule and are silenty dropped.
ok phessler@ henning@ claudio@ dlg@

src/etc/pf.conf

@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
+#	$OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
 #
 # See pf.conf(5) for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
@@ -16,7 +16,7 @@ set skip on lo
 # anchor for relayd(8)
 #anchor "relayd/*"
 
-block		# block stateless traffic
+block return	# block stateless traffic
 pass		# establish keep-state
 
 # rules for spamd(8)
@@ -32,4 +32,4 @@ pass		# establish keep-state
 #block in quick from urpf-failed to any	# use with care
 
 # By default, do not permit remote connections to X11
-block in on ! lo0 proto tcp to port 6000:6010
+block return in on ! lo0 proto tcp to port 6000:6010