Firewall rules are processed in order — first matching rule wins. Structure: (direction) (protocol) (source) → (destination) : (port) = (action). Last rule: implicit deny-all.
Order matters critically — more specific rules must come before general ones. Rule placement errors can accidentally permit or deny unintended traffic. Document the purpose of every rule. Annually review and remove unused rules (firewall rule bloat increases attack surface).