It isn’t true of every firewall, but most apply rules in the order that they are listed in your firewall configuration software or rule base. In other words, the firewall will start at the top of the list and keep going down until it reaches rule that would require it to block the traffic in question. If none of the rules apply, the traffic will pass through.
Firewall vendor Check Point Software notes, “Having the same rules, but putting them in a different order, can radically alter the effectiveness of the firewall. Always place more specific rules first and the more general rules last to prevent a general rule from being applied before a more specific rule.”
Another good rule of thumb is to put rules that are invoked more often higher in the order than rules that are invoked less often. That speeds performance.
In its Firewall Checklist, SANS Institute recommends the following order for rules:
Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
User permit rules (e.g. allow HTTP to public web server)
Management permit rules (e.g. SNMP traps to network management server)
Noise drops (e.g. discard OSPF and HSRP chatter)
Deny and Alert (alert systems administrator about traffic that is suspicious)
Deny and log (log remaining traffic for analysis)