block-policy:
drop - drop without return, or
return - Connection refused, Destination unreachable, etc
set block-policy return
scrub:
normalization, defragmentation
scrub in all
antispoof:
"this packet should not be here"
antispoof for $ext_if antispoof for $int_if