Lower precedence of automatic Firewall rules for NATs
When making a NAT rule, the automatic firewall creations makes NATing traffic much easier. The problem I have is when you NAT an Any to a server, for instance a web-server, there is no way to block individual IP with firewall rules. Placing the automatic Firewall rules at the end but before the DENY-All would allow custom Firewall rules to have an effect.
Just like firewall rules, NAT rules are also first-match. Just create a NO-NAT rule above your DNAT rule, and the selected hosts or network sourced in your no-NAT rule will not be allowed through the DNAT below it.