In section 30.4.4 (Configuring NAT) there is a ruleset for inbound/outbound NAT. Below that, a scenario is drawn:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 500"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
$cmd 005 allow all from any to any via xl0 # exclude LAN...