Having waited for months, I have installed Icefloor 1.5 on my OSX Mountain Lion Server (on a Mac Mini) to manage the NAT and firewall.
However I found that Icefloor has a few problems:
1. I can only disable its firewall completely (i.e. Inbound -> select the "Allow all inbound connections (no filtering, unsafe)" ). Otherwise the OS X Server's DHCP server will not work. It will not work even I ticked all "Services" that Icefloor lists, or even I enter both TDP and UDP on port 67 plus 68 at the "Inbound Custom Services".
The DHCP Server simply does not work, until I choose the "Allow all inbound connections (no filtering, unsafe)" option.
2. I cannot set different inbound rules for WAN and LAN interface. I want my LAN can access anything (ports), while at the same time block any WAN traffic except connection established or at port 80 and FTP ports. But I found that this is not possible via the interface by Icefloor. Maybe it is possiblle to do this by editing the "anchor". But I found this very different from other firewall such as pfSense / iptables.