The documentation for the firewall module seems to say two different things in regards to ordering.
First, in the "Beginning with firewall" section, it states:
"However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules."
But later, in "Usage" section:
"All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. 000 runs first, 999 runs last."
The example my_fw::pre class provided shows ordering both in titles as well as using ordering arrows:
From looking at the code, it appears that it uses the titles, but I think the documentation could definitely use a bit of clearing up.