diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index b62f6f9683e..3e87afaaa81 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -49,9 +49,9 @@ natd_flags=""                   # Additional flags for natd.
 tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
-tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
 tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
 				# NOTE: this breaks rfc1644 extensions (T/TCP)
+tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 3b8b8a7d907..ed50060dace 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -472,16 +472,16 @@ options 	TCPDEBUG
 # The following options add sysctl variables for controlling how certain
 # TCP packets are handled.
 # 
-# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
-# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
-# or any system which one does not want to be easily portscannable.
-# 
 # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
 # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
 # for RFC1644 extensions and is not recommended for web servers.
 # 
-options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT
index 3b8b8a7d907..ed50060dace 100644
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@@ -472,16 +472,16 @@ options 	TCPDEBUG
 # The following options add sysctl variables for controlling how certain
 # TCP packets are handled.
 # 
-# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
-# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
-# or any system which one does not want to be easily portscannable.
-# 
 # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
 # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
 # for RFC1644 extensions and is not recommended for web servers.
 # 
-options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 3b8b8a7d907..ed50060dace 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -472,16 +472,16 @@ options 	TCPDEBUG
 # The following options add sysctl variables for controlling how certain
 # TCP packets are handled.
 # 
-# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
-# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
-# or any system which one does not want to be easily portscannable.
-# 
 # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
 # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
 # for RFC1644 extensions and is not recommended for web servers.
 # 
-options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from