If starting multiple jails in batch (i.e. when booting or via the UI) it is possible for the firewall rules file to be opened more than once simultaneously, resulting in one of the tasks ending up writing to a dead file.
This can cause some rules to be missing (affects ipfw, I'm sure it also affects the pf path as well) and thus not applied. Restarting the jail(s) that were missed allows the missing rules to be appended as expected.
IMO the rules for each jail should probably be in separate files, with the master conf file calling each file on run (similar to how, for example, nginx works, with the main conf file referring to a directory of sub-conf files specific to a site), which would make adding/removing rules at will simpler and less reliant on the order of execution, but I understand this would be a somewhat large paradigm shift.
Suggested layout might look like:
and a reload_firewall.sh script that would loop through the files and do the needful concatenation and stitching.
Anyways, for now I'll just be aware that I may need to restart several jails individually after a reboot if they're apparently not network-accessible and using NAT.