It seems very frequent that companies have internal networks before they want a link to
the outside world. In fact, it's probably reasonable to say that's the main reason people
consider firewalls in the first place. The machine that bridges the outside world to the
inside world and vice versa is the router. What separates the router from any other
machine is simple: It has more than one interface.
Every packet you recieve comes from a network interface; every packet you transmit goes
out a network interface. Say your machine has 3 interfaces, lo0 (loopback), xl0
(3com ethernet), and tun0 (FreeBSD's generic tunnel interface that PPP uses), but
you don't want packets coming in on the tun0 interface?
block in quick on tun0 all
pass in all
In this case, the on keyword means that that data is coming in on the named interface. If a packet comes in on tun0, the first rule will block it. If a packet comes in on lo0 or in on xl0, the first rule will not match, the second rule will, the packet will be passed.