IPF will match packets on many criteria. The one that we most commonly think of is the IP address. There are some blocks of address space from which we should never get traffic. One such block is from the unroutable networks, 192.168.0.0/16 (/16 is the CIDR notation for a netmask. You may be more familiar with the dotted decimal format, 255.255.0.0. IPF accepts both). If you wanted to block 192.168.0.0/16, this is one way to do it:
block in quick from 192.168.0.0/16 to any
pass in all
Now we have a less stringent ruleset that actually does something for us. Lets imagine a packet comes in from 1.2.3.4. The first rule is applied:
block in quick from 192.168.0.0/16 to any
The packet is from 1.2.3.4, not 192.168.*.*, so there is no match. The second rule is applied:
pass in all
The packet from 1.2.3.4 is definitely a part of all, so the packet is sent to whatever it's destination happened to be.

On the other hand, suppose we have a packet that comes in from 192.168.1.2. The first rule is applied:
block in quick from 192.168.0.0/16 to any
There's a match, the packet is dropped, and that's the end. Again, it doesn't move to the second rule because the first rule matches and contains the quick keyword.

At this point you can build a fairly extensive set of definitive addresses which are passed or blocked. Since we've already started blocking private address space from entering our firewall, lets take care of the rest of it:
block in quick from 192.168.0.0/16 to any
block in quick from 172.16.0.0/12 to any
block in quick from 10.0.0.0/8 to any
pass in all
The first three address blocks are the unroutable IP space.[[dagger]] [[footnote: [[dagger]] See rfc1918 at <http://www.faqs.org/rfcs/rfc1918.html> ]]