Someone sent me a PM on this, so a quick update is warranted :)
There is a redmine issue open on this, with no solution:
https://redmine.pfsense.org/issues/4479
In most cases, I work around the issue with a quick-action floating rule with no state, all flags, outbound only on GRE interfaces, that passes all traffic coming out that interface. As this is traffic leaving pfSense, you can control which traffic leaves the interface with normal firewall rules on other nets, and inbound rules on the other side of the GRE tunnel.
Another solution, though terrible, are floating, stateless, all-flag rules both way with swapped src/dst ports (i.e. inbound from tunnel on host port 443, outbound from host port 443 to addresses across tunnel). This is obviously less than ideal because host could source any traffic at port 443 with any dst port and it could get across. Even worse the other way around, if you don't control the other tunnel endpoint.