Separate firewall interface?
 

I would like to know your opinion about the following:

I want to put a separate, third NIC into our internet gateway machine. The only function of this interface would be to let me build the internet firewall I imagine.

Why I need a separate interface for this? The firewall I want would use the advanced stateful rules of ipfw, which, however cannot be implemented on our present oif, where natd (IP masquerading) would interfere with the dynamic firewall rules.
So far I never heard of anyone successfully making ipfw's advanced stateful rules and natd work on the same network interface.

Then came the idea that I could put an additional interface in front of the present oif, and setup the firewall there. (I would like to avoid using a separate router or firewall machine, if my aim could be established e.g. by adding only an additional NIC)
Since I am a green newbie to routing and also to firewalls, I wonder if this idea has any drawbacks, or even if it can be implemented.
So, what is your opinion?