Floating Rules

Floating Rules are a special type of advanced rule that can perform complicated actions not possible with rules on interface or group tabs. Floating rules can act on multiple interfaces in the inbound, outbound, or both directions. The use of inbound and outbound filtering makes designing rules highly complex and prone to user error, but they can be desirable in certain challenging scenarios.

Tip

Most firewall configurations will never have floating rules, or only have floating rules added by the traffic shaper.

Precautions/Caveats

Floating rules can be a lot more powerful than other rules, but also more confusing. With floating rules it is easier for administrators to make an error with unintended consequences when passing or blocking traffic, which can be dangerous.

The firewall does not automatically add reply-to on floating rules in the inbound direction as it does for individual interface rules. Thus, floating rules have the same problem as interface groups: Return traffic passed by states created from floating rules will always exit the WAN with the default gateway, a reply packet cannot automatically return out a non-default WAN through which it entered the firewall.

Given the relative unfamiliarity of most administrators with floating rules, they may not think to look on the Floating tab for rules when maintaining the firewall, which increases the difficulty of firewall administration.

Take care when considering the source and destination of packets depending on the inbound and outbound direction. For example, rules in the outbound direction on a WAN typically have a local source of the firewall (after NAT) and remote destination.

Potential Uses

The most common use of Floating rules is for ALTQ traffic shaping. Floating rules are the only type of rules which can match and queue traffic without explicitly passing the traffic.

Another use of floating rules is to control traffic egressing from the firewall itself. Floating rules can prevent the firewall from reaching specific IP addresses, ports, and so on.

Other common uses are to ensure that no traffic can exit from other paths into a secure network, no matter what rules exist on other interfaces. Blocking outbound toward a secure network from all but approved sources reduces the likelihood of later accidentally allowing traffic in through another unintended path. Similarly, floating rules can be used to prevent traffic destined for private networks from exiting a WAN interface, to prevent VPN traffic from leaking.

Floating rules are useful for completely enacting state timeouts, tag/match operations, “no state” rules, and “sloppy state” rules for asymmetric routing.

Processing Order

In the inbound direction, floating rules work essentially the same as interface or group rules except that they are processed first. Processing in the outbound direction is more complicated.

The firewall processes floating rules after NAT rules, so rules in the outbound direction on a WAN can never match a private IP address source if the firewall also applies outbound NAT to connections on that interface. By the time a packet hits the floating rule, the source address of the packet is the post-NAT WAN IP address. In most cases this limitation can be overcome by applying a tag to a packet inbound on the LAN and then matching that tag in an outbound floating rule (Marking and Matching).

The firewall processes floating rules before interface group rules and interface rules, so that must also be taken into consideration.

See also

See Ordering of NAT and Firewall Processing for a more detailed analysis of rule processing and flow through the firewall, including how NAT rules come into play.

Floating Rule Configuration

Most options available for floating rules are identical to those found on interface and group tab rules. However, floating rules have a few differences in available options and available choices.

Match Action

The match action is unique to floating rules. A rule with the match action will not pass or block a packet, but only match it for purposes of assigning traffic to queues or limiters for traffic shaping. Match rules do not work with Quick enabled.

Quick

Quick controls whether the firewall stops processing rules when a packet matches this rule. Interface and group tab rules always behave in this manner, but on floating rules this behavior is optional. Without Quick checked, the rule will only take effect if no other rules match the packet. In other words, this option reverses the behavior of “first match wins” to be “last match wins”.

Using this mechanism, administrators can craft a default action of sorts which will take effect only when no other rules match a packet, similar to the implicit default block rules on interfaces.

In most situations, the best practice is to check Quick. There are certain specific scenarios where leaving Quick unchecked is necessary, but they are rare. For most scenarios, the only rules without quick selected are match rules traffic shaper rules as the quick behavior is not compatible with the match action.

Interface

The Interface selection for floating rules a multi-select control. With this control a rule can apply to one, multiple, or all possible interfaces. Ctrl-click on interfaces to select them one by one, or use other combinations of click/drag or shift-click to select multiple interfaces.

Direction

Floating rules are not limited to the inbound direction like interface rules, they have the following direction choices:

any:

The firewall will process this rule for both inbound and outbound packets.

in:

The firewall will process this rule for inbound packets.

out:

The firewall will process this rule for outbound packets.

The out direction is useful for filtering traffic from the firewall itself, for matching other undesirable traffic trying to exit an interface, or for fully configuring “sloppy state” rules, “no state” rules, or alternate state timeouts.

Marking and Matching

Using the Tag and Tagged fields, an administrator can mark a connection with an interface tab rule and then match that connection in the outbound direction with a floating rule. This is a useful way to act on outbound WAN connections from a specific internal host which the firewall could not otherwise match due to NAT masking the source. It can also be used similarly to apply traffic shaping outbound on WAN for connections specifically tagged on the way into the firewall.

For example, on a LAN rule, use a short string in the Tag field to mark a packet from a source of 10.3.0.56. Then on a floating rule, quick, outbound on WAN, use Tagged with the same string to act on the traffic matched by the LAN rule.