diff --git a/etc/rc.firewall b/etc/rc.firewall
index ac95667d901b..c5ac0b257e88 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -67,17 +67,25 @@ esac
 ${fwcmd} -f flush
 
 ############
-# These rules are required for using natd.  All packets are passed to
-# natd before they encounter your remaining rules.  The firewall rules
-# will then be run again on each packet after translation by natd,
-# minus any divert rules (see natd(8)).
+# Network Address Translation.  All packets are passed to natd(8)
+# before they encounter your remaining rules.  The firewall rules
+# will then be run again on each packet after translation by natd
+# starting at the rule number following the divert rule.
 #
-case ${natd_enable} in
-[Yy][Ee][Ss])
-	if [ -n "${natd_interface}" ]; then
-	      ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
-	fi
+# For ``simple'' firewall type the divert rule should be put to a
+# different place to not interfere with address-checking rules.
+# 
+case ${firewall_type} in
+[Ss][Ii][Mm][Pp][Ll][Ee])
 	;;
+*)
+	case ${natd_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${natd_interface}" ]; then
+			${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
+		fi
+		;;
+	esac
 esac
 
 ############
@@ -171,27 +179,48 @@ case ${firewall_type} in
 	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
 
 	# Stop RFC1918 nets on the outside interface
-	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
-	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
 	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
-	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
 
 	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 	# on the outside interface
-	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
 	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
-	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
 	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
-	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
 	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
-	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
 	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
-	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
 
+	# Network Address Translation.  This rule is placed here deliberately
+	# so that it does not interfere with the surrounding address-checking
+	# rules.  If for example one of your internal LAN machines had its IP
+	# address set to 192.0.2.1 then an incoming packet for it after being
+	# translated by natd(8) would match the `deny' rule above.  Similarly
+	# an outgoing packet originated from it before being translated would
+	# match the `deny' rule below.
+	case ${natd_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${natd_interface}" ]; then
+			${fwcmd} add divert natd all from any to any via ${natd_interface}
+		fi
+		;;
+	esac
+
+	# Stop RFC1918 nets on the outside interface
+	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
+	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
+
+	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
+	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
+	# on the outside interface
+	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
+	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
+	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
+	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
+
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established