sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2]
sysctl -w net.inet.udp.blackhole=[0 | 1]
I used the values (2,1), and nmap was then unable to even propose a set of values (it failed on tests 2,5,6,7 and U). Note sure of the real value but for the paranoid out there, why not give yourself a little extra edge.
[robg adds: I have not tested this one...]

