after messing around a few hours i think i figured it out. regardless of classification, the rule at the TOP of the list gets priority. this is a cool way to do it, but also confusing for those who didn't know. from the wikibook. Strict Rule Ordering: If disabled (unchecked), IPP2P, L7, and KB-based rules are matched first, then simple port- and MAC-based matches are matched in a second pass. If enabled, each rule will be strictly evaluated in the specified order, starting from the top of the list and working downward, until the first match is found.