Looking at one of our CDN nodes with pmcstat, ipfw incurs a significant penalty on uncontested rwlocks for each packet. The problem seems to be that each rw_rlock is actually a serializing mutex to prevent reader priority inversion.
This was fixed in head r272514