Floating firewall rules have several distinct advantages over non-floating rules:
- They can apply to more than one interface at a time. This saves us from having to make copies of essentially identical rules on different interfaces, and is handy in a number of situations in which we want a rule to be in effect on multiple interfaces.
- Whereas conventional firewall rules are only invoked when packets leave an interface, floating firewall rules may be invoked when traffic enters an interface (in), when it leaves an interface (out), or either direction (any).
- In the Action drop-down menu, in addition to the Pass, Block, and Reject options that are available for conventional firewall rules, there is a fourth option called Match. If this option is selected, the rule will be applied to packets matching the rule, but the pass/block status of the packets will not be affected. This option is often used for traffic shaping, as...