however, someone at my work wants me to install a
firewall at a colo site - in front of say, six
machines, all with public internet routable
You want a bridge. It operates at layer 2, so there's no translation
About one year ago I set up a bridge in a similar configuration.
My experience was that the bridge put a real hamper on performance if
you don't get good NIC's. We went from 3Com 905's to Intel 1000MT's and
saw a significant, measurable increase in bandwidth over the bridge.
The OpenBSD computer itself was pretty low-budget, and this undoubtably
had some effect, but again, big difference once we upgraded the NIC's.