The firewall has very little to do with ARP, which is a low-level protocol that appears on Ethernet segments. On the public side of your firewall, any ARP request for your public-side IP address ought to be answered with the Ethernet address (6-bytes) of your public-side interface.
On the private side (your 192.168.1.x net), ARP requests for the private-side IP address should likewise be answered with the Ethernet address of the private-side interface.
The firewall machine should NOT (and will not) answer ARP requests on the private side for public IP addresses. In order for traffic to flow through the firewall to the public Internet, you need to specify a default route in each of the systems on the private net (except the firewall); that default route should specify the private-side address of the firewall as the gateway.
In a similar fashion, the firewall machine will not answer ARP requests on the public-side which ask for resolution of a private-side address. The situation is a little different on this side, because the Private Networking addresses (192.168.x.y) should never appear on the public Internet. Any public router that receives a packet containing such an address will discard it. Therefore, you will probably never see an ARP for a 192.168.1.x address on your public interface.