Hygiene: block-policy, scrub and antispoof

block-policy:

drop - drop without return, or

return - Connection refused, Destination unreachable, etc

set block-policy return

scrub:

normalization, defragmentation

scrub in all

antispoof:

"this packet should not be here"

antispoof for $ext_if
antispoof for $int_if