As mentioned earlier, firewall rules are evaluated on a top-down basis. The first rule that matches a packet is executed, and the rest are skipped. It is important to consider the order of firewall rules. Often specific rules will proceed more general rules. For example, consider the LAN interface. When pfSense is initially installed, it generates two default Allow LAN to any rules – one for IPv4 traffic and the other for IPv6 traffic. The purpose of these rules is to allow internet traffic on the LAN interface, thus allowing LAN nodes to communicate with other local networks and with the internet. If we had placed our newly created rule to block appleinsider.com after these rules, it would always be ignored, since the Allow LAN to any rules will match all traffic (any protocol and any destination). Therefore, it must be placed before these rules.

The easiest way to re-order rules in pfSense using the web GUI is to click your mouse on the rule you wish to move and drag it into place. You can also move rules around by checking the checkbox in the leftmost column of a rule’s entry, and then clicking on the Move selected rules above/below this one icon (the anchor icon) for the appropriate rule. Use Shift + Click to move rules below the rule.