I've talked to three people now, and like me they can see only one
lonely use case for per-interface rules: anti-spoofing.
Seeing as anti-spoofing is largely automated in pfSense and m0n0wall,
is there any compelling reason for this odd division of the rulebase?
It makes the rules hard to work with, because in addition to deciding
on your source, destination and service, you have to either add your
rule to all of the interfaces, or try to figure out by what arcane
metric the firewall decides when to enforce the rules that are added
under one particular interface and when it's the rules associated with
another interface that's in action.
Hope you can enlighten me!