It is procd that starts everything at boot and it is /etc/rc.local that is just about the last thing that gets run.
However everything runs concurrently and almost always when rc.local runs, the network interfaces have not yet come up so any iptables commands in rc.local will fail.
The firewall service waits for the network to finish coming up before setting its rules.
If you want to add your own "raw" iptables commands, firewall has its own special script that it runs in a similar way to rc.local, but the network interfaces will guaranteed to be up.
This script file is /etc/firewall.user.
Try putting your iptables commands in there (or run another script from there).