After testing port scanners on OS 10.2.6 using the built in firewall (IPFW), and then trying Brickhouse, I did some further investigation into the details of IPFW.
I hope that my rules below, which enable the stateful behavior of the firewall are more secure than the default or Brickhouse default rules. You can, of course, use Brickhouse to implement these rules:
allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any check-state allow ip from any to 255.255.255.255 allow udp from any 67-68 to any 67-68 allow icmp from any to any in icmptype 3 allow ip from any to any keep-state out deny ip from any to any[robg adds: To add these rules using ipfw in the Terminal, you'd use ipfw add allow ip...etc -- see man ipfw for more information. Note that I have not tested these settings. Comments on their validity, anyone?]
Mac OS X Hints
http://hints.macworld.com/article.php?story=20030830130455582