Fix description of blocklist rejection behavior

The previous wording ("silently routed to the fronting domain")
is inaccurate. In mtglib/proxy.go the blocklist path calls
conn.Close() immediately with no further handshake or fronting;
domain fronting only happens on FakeTLS failures for non-blocked
IPs. Reword to "TCP connection is closed with no response" so
users searching the docs get the same symptom they actually see.

README.md

@@ -529,8 +529,9 @@ message like:
 The reason is that the default blocklist (`firehol_level1.netset`)
 includes bogon networks, which covers all RFC1918 ranges
 (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`). Any client
-connecting from such an address is rejected by the blocklist and
-silently routed to the fronting domain.
+connecting from such an address is rejected by the blocklist —
+the TCP connection is closed immediately with no response, so
+from the client's point of view nothing loads at all.
 
 There are three ways to resolve it:
 

example.config.toml

@@ -321,8 +321,8 @@ download-concurrency = 2
 # networks, and therefore RFC1918 ranges as well (10.0.0.0/8,
 # 172.16.0.0/12, 192.168.0.0/16). If you run mtg on a home/LAN network
 # and connect from a client on the same LAN, that client will be
-# rejected with "ip was blacklisted" and silently routed to the fronting
-# domain. If you see this, you can either disable this section
+# rejected with "ip was blacklisted" and the connection dropped (TCP
+# close, no response). If you see this, you can either disable this section
 # (enabled = false), replace firehol_level1 with a narrower list that
 # does not include bogons (e.g. firehol_abusers_1d), or connect via
 # a public IP/domain with hairpin NAT on your router. See README for