Know that both firewall rules and nat rules have two parts: match and action. For firewall, action is one of accept, drop, or reject. For nat, action is to change destination addr and/or port or source and/or port. nat masquerade is a speical way of changing source.
There are four states for packets: new, invalid, established, and related. A packet is marked with one and only one state and it does not change. State has to do with bi-directional streams of packets generally managed by conntrack, the connection tracker, and its helpers. Invalid means the packet is flawed in some way and should be ignored. New means the first packet in a stream ie the packet is judged not to be part of any known stream. Established means a packet that is part of an existing known stream. Related means a packet related to a different known stream but not part of it. The related case is for things like FTP where there is a control stream which can start other streams for data transfer so that the data stream is related to the control stream.
In most matching for firewall or nat rules, all specified conditions must be met to get a match thus it is a logical AND of the conditions. However, for state, as the states are mutually exclusive and covering, they are OR'd in that specifying more than one state in a rule only requires one of them to match rather than all of them.
As for disabling, yes you can disable both firewall and nat rules individually but not apparently port-forward rules. Port-forward rules are sort of a wizard for generating the DNAT and associated firewall rules but they make things opaque and offer a bit less flexibilty. However hairpin can be hairy done expliticly. So if you want to enable/disable port forwards, it is best to learn how to do them with explict DNAT and firewall rules and then enable/disable the firewall rules. Remember also that DNAT precedes firewall so make such firewall rules are contingent on the translated addr/ports.
As for rule placement, on the WAN rules, always leave establish/related and invalid at the top. These rules trigger on the overwhelming number of packets so you want them checked early. Otherwise, place a new rule before any other it must logically precede, and where there is no relation then first by likely frequency, else it does not really matter. Logically precede generally means more specific in conditions than a related rule.
