Allow for security zones when defining interfaces and firewall rules.
I have experience using CheckPoint and PaloAlto appliances with "zone" features. This allows you to group networks\interfaces into security zones. These zones can be trusted, untrusted, vpn, etc... Instead of needing to block all additional trusted zones from your DMZ network when your intent is to allow traffic to the internet only, you can set the destination zone in the rule to "external" or "untrusted" resulting in the same policy but with a single rule. This makes policy creation and management much simpler while ensuring tight security and intended behavior. I know pfSense allows you to group interfaces and manage them in one common rule set, but the idea of zones is different and quickly being adopted across the industry. It closes up leaks that are commonly overlooked.