Sepherosa Ziehau has made some improvements to ipfw in DragonFly, moving it to per-CPU state tracking among other things. (I haven’t mentioned just ipfw in foreeeever.)
His commit message describes the improvements. Of most interest: it reduces the performance impact of running ipfw in his tests to almost nothing. Does this translate to ipfw on other BSDs? I don’t know.