Well, the main way is by not allowing webGUI access using a hostname other than the one assigned to pfSense in version 2.0. There is an exception list for other hostnames used if needed, or IP address can be used without restriction, as that is not a security risk with DNS Rebinding attacks. These protections are on by default in 2.0 beta currently, even when upgrading from 1.x. It's always recommended to change the default administration password for the webGUI as well, and if you do this and are not logged into the webGUI (or are not logged into the same web browser used for other tasks), even attempts at DNS Rebinding attacks are unlikely to succeed because they would need to rely on a flaw in the LAN administration code to authenticate/change the firewall (this is the case even in 1.x). So the main recommendations beyond the build-in protections are: 1) use a different web browser for administration than for web browsing, and 2) change the default password to something secure (do this anyway!).
At least that's what I'm familiar with. I'm sure someone else may have information about additional precautions taken.