Trying to understand ipfirewall/divert/nat

[Kenneth W Cochran]

Hello:

I'm trying to grok overall firewall & natd (ipnat?)
configuration strategy using ipfirewall.

Interfaces:
dc0 - "public" to outside network(s)
dc1 - internal 192.168.0.1/24
dc2 - internal 192.168.1.100/24, currently unused
dc3 - currently unused

OS: FreeBSD 4.9-STABLE as of 10 December 2003
firewall: ipfw2
Running natd between dc0 & dc1

dc0 gets its IP address, etc., via DHCP/dhclient.

Problems/questions:

ICMP (for example):  Would like to be able to:
  Ping/traceroute, etc from any machine on the local net to anywhere.
  Be "invisible" to ICMP Echo Request from outside.
  Be "visible" to other relevant ICMP messages from outside,
    e.g. traceroute, Path MTU Discovery

For example, the following ruleset (from the Ipfw-HOWTO at
http://www.freebsd-howto.com/) takes care of icmp echo
request/reply on the outside-exposed machine, but breaks
that (& traceroute) on internal machines.

        1000 allow icmp from any to any out icmptypes 8
        1100 allow icmp from any to any in icmptypes 0
        1200 deny icmp from any to any in icmptypes 8

Would like to do similar things, e.g. allow/deny <insert
port/service/protocol here> & get all that to play nicely
with divert/natd.  For example, with divert, it appears that
we should have a ruleset for "before" the divert & another
"mirror-image" ruleset for "after" divert.  Where might I
find some nice explanations of the logic/strategy with this?

I guess what confuses me is /etc/rc.firewall does things one
way & the firewall(7) manpage another.

Where are some, umm, good sources of information about
ipfirewall (ipfw)?  Seems all the books talk about are
Linux's ipchains & iptables & *bsd's ipf.

Thanks,

-kc