It seems very frequent that companies have internal networks before they want a link to the outside world. In fact, it's probably reasonable to say that's the main reason people consider firewalls in the first place. The machine that bridges the outside world to the inside world and vice versa is the router. What separates the router from any other machine is simple: It has more than one interface.

Every packet you recieve comes from a network interface; every packet you transmit goes out a network interface. Say your machine has 3 interfaces, lo0 (loopback), xl0 (3com ethernet), and tun0 (FreeBSD's generic tunnel interface that PPP uses), but you don't want packets coming in on the tun0 interface?
block in quick on tun0 all
pass in all
In this case, the on keyword means that that data is coming in on the named interface. If a packet comes in on tun0, the first rule will block it. If a packet comes in on lo0 or in on xl0, the first rule will not match, the second rule will, the packet will be passed.