--- sys/contrib/pf/net/pf_ioctl.c.orig	2012-09-06 15:47:47.000000000 +0200
+++ sys/contrib/pf/net/pf_ioctl.c	2012-09-06 15:56:16.000000000 +0200
@@ -386,7 +386,11 @@
 
 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+	#ifdef PF_DEFAULT_TO_DROP
+    V_pf_default_rule.action = PF_DROP;
+    #else
 	V_pf_default_rule.action = PF_PASS;
+	#endif
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;
 
@@ -473,7 +477,11 @@
 
 	/* default rule should never be garbage collected */
 	pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
+	#ifdef PF_DEFAULT_TO_DROP
+	pf_default_rule.action = PF_DROP;
+	#else
 	pf_default_rule.action = PF_PASS;
+	#endif
 	pf_default_rule.nr = -1;
 	pf_default_rule.rtableid = -1;
 
--- sys/conf/options.orig	2012-09-06 15:59:40.000000000 +0200
+++ sys/conf/options	2012-09-06 16:00:59.000000000 +0200
@@ -426,6 +426,7 @@
 NETATALK		opt_atalk.h
 NFSLOCKD
 PCBGROUP		opt_pcbgroup.h
+PF_DEFAULT_TO_DROP	opt_pf.h
 RADIX_MPATH		opt_mpath.h
 ROUTETABLES		opt_route.h
 SLIP_IFF_OPTS		opt_slip.h
--- sys/conf/NOTES.orig	2012-09-06 16:58:11.000000000 +0200
+++ sys/conf/NOTES	2012-09-06 16:14:47.000000000 +0200
@@ -916,6 +916,8 @@
 # packets without touching the TTL).  This can be useful to hide firewalls
 # from traceroute and similar tools.
 #
+# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything.
+# 
 # TCPDEBUG enables code which keeps traces of the TCP state machine
 # for sockets with the SO_DEBUG option set, which can then be examined
 # using the trpt(8) utility.
@@ -933,6 +935,7 @@
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
+options		PF_DEFAULT_TO_DROP		#drop everything by default
 options 	TCPDEBUG
 
 # The MBUF_STRESS_TEST option enables options which create