For our first non-floating rule, we will implement a rule blocking developers' access to https://recode.net/. The process is relatively simple:

1. We navigate to Firewall | Rules, and click on the DEVELOPERS tab. Then we can click on either Add button below the table to add a new rule.
2. On the Edit page, we change the Action value to Reject. For Interface, we keep DEVELOPERS as the interface from which packets must come in on to match this rule. We can set the Address Family field to IPv4, IPv6, or IPv4+IPv6, depending on whether or not our network supports IPv4 addresses, IPv6 addresses, or both. We only need to block TCP traffic, so we leave Protocol set to TCP.
3. The packets must come from the DEVELOPERS subnet for the rule to apply, so we set Source to DEVELOPERS net. We don't need to set a port range for this rule, so we will not click on the Show Advanced button.
4. We must block traffic to www.recode.net. A DNS lookup using nslookup returned an IP address of 151.101.21.52. We set Destination to Single host or alias in the drop-down box, and in the adjacent edit box, we enter 151.101.21.52 (it's a single IP address, so we do not need to specify a subnet). 
5. For Description, we type Block Recode for future reference. Then we click on the Save button. Once we are returned to the main Rules page, we need to click on the Apply Changes button to reload the firewall rules.

That's all there is to it – nodes on the DEVELOPERS subnet should now be blocked from accessing Recode. We still have not created a rule allowing the DEVELOPERS net access to other networks, and we need to do that, but if we want to test our new rule, we could copy it to the LAN subnet (remembering to change Interface to LAN and Source to LAN net). To confirm that the rule works, try accessing Recode with both the rule enabled and then with it disabled. Also, to confirm that the order of rules matters, try placing the new rule both at the beginning and end of the list of rules. If it is at the end of the list, one of the "Allow LAN to any" rules will match the traffic first and our rule will not have its intended effect, but if it is at the beginning of the list, it should work.

This rule could be improved upon—the IP address of recode could change, and perhaps we should have created an alias for the sake of clarity and so that if we copy the rule, we don't have to change the IP address in multiple locations. We will address the creation of aliases later in this chapter.