The leftmost tab on the Rules page is Floating. From this tab, you can create rules that are different from the rules described previously in several ways:
- Whereas rules applying to a single subnet can only be applied to traffic leaving the subnet/interface, floating rules can apply to traffic entering or leaving a subnet. It can also apply to traffic going in either direction.
- Floating rules can apply to more than one interface.
- As with other rules, there is an Action drop-down box, and the Pass, Block, and Reject options are supported. There is a fourth option, however, called Match. If Match is selected and traffic matches the rule, the pass/block status of the traffic will not be affected, but the rule will be invoked. This is useful in traffic-shaping scenarios, as it allows us to divert the traffic into different queues, including ones we created when setting up traffic-shaping.
To begin creating Floating rules, we first click on the Rules page and then click on one of the Add buttons. You will notice that the options are similar to those we saw before, when creating non-floating rules, with some significant differences:
- As mentioned earlier, the Action drop-down box has an option called Match.
- There is an option called Quick. This checkbox, if checked, will cause the rule to be evaluated before the per-subnet/per-interface rules. The default behavior (when this option is not checked) is to evaluate the floating rules last.
- More than one interface can be selected in the Interface list box.
- With the Direction drop-down box, you can choose to apply the rule to traffic coming into the interface (in), traffic leaving the interface (out), or both.
The Quick option is a powerful one, and potentially useful. A floating rule without Quick enabled is enforced only if none of the rules on the subnet/interface tabs and (since rules are evaluated on a top-down basis) only if none of the rules above it on the Floating tab match the traffic first. Thus, if we need to enforce a rule before all other rules, we can use the Quick option. Floating rules without Quick enabled, however, are an effective way of enforcing default behavior on multiple interfaces.
Because this can seem confusing at first, it should be mentioned that non-floating rules are always enforced on traffic that is inbound to an interface. Thus, if we want to create a floating rule that behaves the same as non-floating rules, we would set Direction to in. If you need to filter outbound traffic or traffic in both directions, then select the out or any option.