deny but mirror

FAUCET ACLs are great for locking things down. And it is possible to add FAUCET ACL rules, that count traffic and let it through (instead of counting and denying it).

But sometimes that’s not enough – you want to deny the traffic, but you also want to see what it was. FAUCET’s ACL language lets you do this.

  - rule:
        allow: 0
          ports: [99]

This rule, placed at the end of an ACL, will deny all traffic – but – before it denies it, it will make a copy and output it to port 99. In this way you can run a tcpdump on a host connected to port 99, and observe the denied traffic. Handy!