Thanks Manuel, I suspected somethink like along those lines. I played
with some related sysctl parameter settings, but do not yet know enough
about the implementation of bridging & ipfw yet.
Maybe I'll take a look at the code of the shaping wizzard in order to
try and modify it so that it only generates rules for ingress traffic
for the case where bridging is enabled (and thus sysctl
net.inet.ip.fw.one_pass= 1 which forces a single pass through the firewall).