we are talking about non statefull rules, so firewall rules have nothing to do with it.
What im used to with ACL's on switch level (this is what vmware is trying to do) it will stop processing rules when it hits a rule "says" something about the rule.
So if i allow ICMP and what to disallow everything else i first create a rule which allows icmp and blocks everything else.
With some switch brands you dont even have to create a drop all rule. It will drop everything when there is no matching rule.