How to create OS X Server Admin firewall rules using ip address groups by command line

As @bmike said, Internet Sharing hides a lot of complexity behind a very simple interface, and some of your questions can't be answered authoritatively without interviewing some of the Apple engineers behind it. But that won't stop me from taking a stab at it...

1) AirPort is different from the other interface types because in order to share over AirPort, your Mac has to actually create the wireless network (as opposed to just providing service over an existing ethernet, FireWire, etc connection). This means that InternetSharing needs to have a bunch of info about how to create the wireless network: network name (SSID), channel, security, etc.

2) Resharing over the same ethernet interface is useful under some circumstances. For example, on my home network my ISP provides limited number of static IP addresses for my use. I run a Mac doing the equivalent of Internet Sharing (actually, I set up the daemons manually as @Spiff recommended) to reshare over the same ethernet. Result: if I put a computer on my home ethernet and config it via DHCP, I get a private (behind-the-firewall) IP address from my virtually unlimited internal pool. If I manually config the computer with one of the public IPs, I get full unfitered internet access, but use up one of my limited public IP pool. Because they're both on the same network, "moving" a computer behind or in front of the firewall is just a simple configuration switch.

On the other hand, if you did this same trick on an ethernet network that already had a DHCP server, computers attaching to the network would randomly get configuration from one server or the other, leading to unpredictability, confusion, and hair-pulling. It's definitely a use-only-if-you-know-what-you're-doing feature. Fortunately, Internet Sharing is smart: if it detects another DHCP server on "its" private network, it shuts itself off to avoid trouble.

3) I don't know of a way to change the private IP range on an IS-created wireless network. On the other hand, it shouldn't really matter, since the network is being created by Internet Sharing, and therefore it doesn't have to worry about conflicts with any existing network numbering.

4) You can add interfaces with Apple's USB Ethernet Adapter. Get some USB hubs, and pile them on!

Assuming you want the domains to be synonymous (e.g. richard@domain.com and richard@domain.co.uk both correspond to the same mailbox), it's pretty easy. The trick is that the relevant configuration option is available in Server Admin.app but not Server.app. To get Server Admin, install the server admin tools (v10.7.4 is here, be sure to get the version matching what you're installing on), then open /Applications/Server/Server Admin.

In Server Admin, connect to the server (if it doesn't autoconnect), then select the server name in the sidebar -> Settings in the toolbar -> Services tab -> enable the Mail service and click Save in the bottom right (note: the Save button doesn't highlight very clearly when there are settings that need saving; just get in the habit of clicking it after doing anything).

Once the Mail service is enabled, it should appear in the sidebar (although you may need to click the disclose triangle next to the server name). Select Mail in the sidebar -> Settings in the toolbar -> Advanced tab -> Hosting subtab -> add the additional domain(s) to the "Local Host Aliases" list.

Note: this configures the server to accept mail for additional domain(s). In order for this to do anything useful, you also need to add MX records to DNS for the additional domain(s), so other servers know to deliver the mail to your server.

EDIT: to handle non-synonymous ("virtual") domains, go to Server Admin -> Mail -> Settings -> Advanced -> Hosting, enable virtual hosting, and add the domain(s) to the "Locally Hosted Virtual Domains" list. Then, add aliases to your user accounts for their virtual email addresses. You can add aliases either in Server.app (right-click on a user account and choose Advanced Options), or in Workgroup Manager by adding aliases to the Short Names list.

For example, if you had domain.com as your primary domain, domain.co.uk as a host alias, and otherdomain.co.uk as a virtual domain, and your account was "richard", you would be reachable as richard@domain.com and richard@domain.co.uk, but would have no address at otherdomain.co.uk. If you added "rich@otherdomain.co.uk" as an alias for your account, you'd then also be reachable at that address (but not at rich@domain.com or rich@domain.co.uk).

Note: you can also add aliases in the file /etc/aliases (e.g. add the line "rich@otherdomain.co.uk: richard" to get the effect I described above). If you do this, run sudo newaliases and then sudo postfix reload to get the change to take effect.