IPFW: combining "divert natd" with "keep-state"

[Subscriber]

I've been using ipfw for a while to create a router with NAT
and packet filtering, but have never combined it with
stateful filtering, instead using things like "established" to
accept incoming TCP packets which are part of a conversation
initiated from the "inside".

I'd like to move to using keep-state/check-state to get tighter
filtering and also to allow outgoing UDP and the replies, which
currently I block.

But I just can't get my head around how to do this. On the way
out, should the dynamic rules be created to match the pre-NAT
or post-NAT packets?

The man pages are good at explaining both NAT and dynamic
rules but not both in combination.

Jim Hatfield