A lot of examples where people are using keep-state with setup together. For example:
ipfw add 1 allow tcp from any to me 22 setup keep-state
Because of setup, this rule will allow only SYN packets, which are first packets in TCP handshake. OK.
But, why is this so necessary? Why not just using keep-state without setup? What's the profit?
The setup argument is related to what the rule matches. In this case, it matches the first packet of a TCP 3-way handshake where the client sends a SYN packet to the server.
The keep-state argument is an instruction about what to do after the rule has been matched. In this case it says to allow all other packets once the first packet has been sent.
The setup keep-state pattern is usually used for outbound connections, not inbound connections like you've done in this example.
Here is some additional information explaining the options.
http://www.freebsdwiki.net/index.php/IPFIREWALL_%28IPFW%29_Firewall
