As @bmike said, Internet Sharing hides a lot of complexity behind a very simple interface, and some of your questions can't be answered authoritatively without interviewing some of the Apple engineers behind it. But that won't stop me from taking a stab at it...
1) AirPort is different from the other interface types because in order to share over AirPort, your Mac has to actually create the wireless network (as opposed to just providing service over an existing ethernet, FireWire, etc connection). This means that InternetSharing needs to have a bunch of info about how to create the wireless network: network name (SSID), channel, security, etc.
2) Resharing over the same ethernet interface is useful under some circumstances. For example, on my home network my ISP provides limited number of static IP addresses for my use. I run a Mac doing the equivalent of Internet Sharing (actually, I set up the daemons manually as @Spiff recommended) to reshare over the same ethernet. Result: if I put a computer on my home ethernet and config it via DHCP, I get a private (behind-the-firewall) IP address from my virtually unlimited internal pool. If I manually config the computer with one of the public IPs, I get full unfitered internet access, but use up one of my limited public IP pool. Because they're both on the same network, "moving" a computer behind or in front of the firewall is just a simple configuration switch.
On the other hand, if you did this same trick on an ethernet network that already had a DHCP server, computers attaching to the network would randomly get configuration from one server or the other, leading to unpredictability, confusion, and hair-pulling. It's definitely a use-only-if-you-know-what-you're-doing feature. Fortunately, Internet Sharing is smart: if it detects another DHCP server on "its" private network, it shuts itself off to avoid trouble.
3) I don't know of a way to change the private IP range on an IS-created wireless network. On the other hand, it shouldn't really matter, since the network is being created by Internet Sharing, and therefore it doesn't have to worry about conflicts with any existing network numbering.
4) You can add interfaces with Apple's USB Ethernet Adapter. Get some USB hubs, and pile them on!
Worked for me.
I wanted to open traffic on port 70, so I entered the following:
sudo ipfw add 7000 allow tcp from any to any dst-port 70
The response from the command-prompt was:
07000 allow tcp from any to any dst-port 70
Yes, the 0 was automatically added to the rule #, so it is worth noting that any rule ID < 10,000 will be prefixed by one or more zeroes.
Best Answer
To open a port you would use the following line(s):
To quick-start pf and open a port with one of the lines above use e.g.:
To test the rule(s) use:
sudo pfctl -s rules
After a reboot you would have to enter the command again, because pf is not started automatically.
By default the pf.conf file has no blocking all rule. So even after starting pf with
sudo pfctl -e
nothing is blocked.If you don't want to dive deeply into pf/pf.conf/pfctl, I recommend to use a pfctl GUI like the free Murus Lite to configure pf.