我有一个配置了路由器、防火墙和代理（透明模式）角色的网络服务器，用于过滤此网络服务器后面的两个网络的网络流量。

来自两个网络的主机都在各种网站（银行、电子邮件、Facebook、Linkedin 等）上正常导航，但 Twitter 网站的情况非常特殊，巧合的是（从一个月前开始），同样的情况开始在 Youtube 和 Pinterest 上发生，但我（现在）并没有把精力集中在最后两个服务上：我认为，如果我能弄清楚 Twitter 发生了什么，我就能弄清楚 Youtube 和 Pinterest 发生了什么（也许...）。

基本上，Twitter 有一个特定的主机/服务器，它也负责提供 .CSS 文件和一些图像。当页面尝试加载时，Web 浏览器上有一条消息，通知TLS handshake with abs.twimg.com...左角（下）类似的东西，并且它保留此消息并且页面无法正确加载，缺乏结构等，可能是因为在我在这里展示的场景中，此主机无法交付的 .CSS。

到目前为止，我确定了主机/服务器，并且我基本上尝试使用curl.

我确定：

• 在 SSL 握手期间，curl不报告有关Server Hello的任何信息
• 主机/服务器，是一个反向代理服务器（X-headers...）

以下是我迄今为止调查的详细信息：

网络拓扑结构

路由表（服务器）

$ ip route
default via 192.168.100.254 dev eth1 
10.255.255.0/26  dev eth2  proto kernel  scope link  src 10.255.255.62 
192.168.0.0/24   dev eth2  proto kernel  scope link  src 192.168.0.1 
192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.1 

IPTABLES/网络过滤器

# Generated by iptables-save v1.4.21 on Wed Aug 30 12:00:31 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Transparent Proxy Rules (SQUID)
-A PREROUTING -i eth2 -s 10.255.255.0/26 -p tcp --dport 80 -j DNAT --to-destination 10.255.255.62:3128
-A PREROUTING -i eth2 -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --sport 80 -j REDIRECT --to-port 3128

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Routing (eth2 [LAN] <-> [WAN] eth1)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allowing Established Connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allowing Localhost Traffic
-A INPUT -i lo -j ACCEPT

# Blocking Localhost Traffic (from unrecognized networks)
-A INPUT ! -i lo -s 127.0.0.1/8 -j REJECT

# ICMP (Ping)
-A INPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED --icmp-type 8 -j ACCEPT

# SSH (Server Remote Access)
-A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

# DNS
-A INPUT -i eth2 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 53 -j ACCEPT

# DHCP
-A INPUT -i eth2 -p udp --dport 67 --sport 68 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 68 --sport 67 -j ACCEPT

# SAMBA File Server (LAN)
-A INPUT -i eth2 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 445 -j ACCEPT

# EMAIL (SMTP)
-A INPUT -i eth2 -p tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 587 -j ACCEPT

# EMAIL (POP)
-A INPUT -i eth2 -p tcp --dport 110 -j ACCEPT

# EMAIL (IMAP)
-A INPUT -i eth2 -p tcp --dport 143 -j ACCEPT

# EMAIL (IMAP over SSL)
-A INPUT -i eth2 -p tcp --dport 993 -j ACCEPT

# EMAIL (POP over SSL)
-A INPUT -i eth2 -p tcp --dport 995 -j ACCEPT

# PRINTER
-A INPUT -i eth2 -p tcp --dport 515 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 631 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 9100 -j ACCEPT

# SQUID3 (see table nat)
-A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT

# Log all incoming traffic that is not listed above...
-A INPUT -i eth2 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-lan] " --log-level 7
-A INPUT -i eth1 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-wan] " --log-level 7

# Rejecting everything not listed above.
-A INPUT -j REJECT

# Accepting OUTPUT of everything, on any interface.
-A OUTPUT -j ACCEPT

卷发

路由服务器背后

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 104.244.46.199...
Connected to abs.twimg.com (104.244.46.199) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
Operation timed out after 0 milliseconds with 0 out of 0 bytes received Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

通过路由服务器

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 72.21.91.70...
Connected to abs.twimg.com (72.21.91.70) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12): SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSL connection using ECDHE-RSA-AES128-GCM-SHA256
Server certificate: subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=.twimg.com start date: 2017-12-02 00:00:00 GMT
expire date: 2018-12-05 12:00:00 GMT subjectAltName: abs.twimg.com matched
issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA SSL certificate verify ok.

GET /a/1425667452/css/t1/twitter_core.bundle.css HTTP/1.1
User-Agent: curl/7.35.0
Host: abs.twimg.com
Accept: /

< HTTP/1.1 200 OK
< access-control-allow-origin:
< Content-Type: text/css
< Date: Thu, 12 Apr 2018 16:48:28 GMT
< Etag: "guajswzGI2hE0uFUU9DNaw==+ident"
< expires: Fri, 12 Apr 2019 16:48:28 GMT
< Last-Modified: Fri, 06 Nov 2015 01:38:59 GMT Server ECS (dfw/2788) is not blacklisted
< Server: ECS (dfw/2788)
< surrogate-key: twitter-assets
< Vary: Accept-Encoding
< X-Cache: HIT
< x-connection-hash: b9f823e9ff63b5f7f0bd142be924c75b
< x-content-type-options: nosniff
< x-response-time: 33
< x-ton-expected-size: 225802
< Content-Length: 225802
<
/! normalize.css v3.0.0 | MIT License | git.io/normalize /html{font-family:sans-serif;

TCPDUMP

• 在我从 Route Server 后面的主机之一执行 cURL 时执行
• 我使用了不同的 IP，abs.twimg.com因为该主机的 DNS 解析是动态的（它后面有很多 IP），在这种情况下，IP 是104.244.46.231
• 查看 LAN 端的 tcpdump，这个 IP 有两个包，从 eth1（WAN）遍历到 eth2（LAN）

局域网 (192.168.0.0/24 + 10.255.255.0/26)

$ tcpdump -i eth2 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes


2018-04-12 13:24:25.427316 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [S], cksum 0x6c7b (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.474012 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd51d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475244 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x73eb (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:25.476080 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4480 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 295
2018-04-12 13:24:25.723055 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4442 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702836 ecr 2426425241], length 295
2018-04-12 13:24:25.971095 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4404 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702898 ecr 2426425241], length 295
2018-04-12 13:24:26.467091 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4388 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703022 ecr 2426425241], length 295
2018-04-12 13:24:26.491546 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd412 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494245 IP (tos 0x0, ttl 64, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x71c6 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:24:27.459109 IP (tos 0x0, ttl 64, id 15113, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4290 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703270 ecr 2426425241], length 295
2018-04-12 13:24:29.447605 IP (tos 0x0, ttl 64, id 15114, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x409f (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703767 ecr 2426425241], length 295
2018-04-12 13:24:33.420240 IP (tos 0x0, ttl 64, id 15115, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x3cbe (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3704760 ecr 2426425241], length 295
2018-04-12 13:24:41.371165 IP (tos 0x0, ttl 64, id 15116, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x34fa (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3706748 ecr 2426425241], length 295
2018-04-12 13:24:57.259220 IP (tos 0x0, ttl 64, id 15117, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x2576 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3710720 ecr 2426425241], length 295
2018-04-12 13:25:29.067129 IP (tos 0x0, ttl 64, id 15118, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x0666 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3718672 ecr 2426425241], length 295
2018-04-12 13:26:32.748577 IP (tos 0x0, ttl 64, id 15119, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0xc835 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3734592 ecr 2426425241], length 295

2018-04-12 13:28:32.811394 IP (tos 0x0, ttl 64, id 15120, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x52f5 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3764608 ecr 2426425241], length 295

2018-04-12 13:29:25.551683 IP (tos 0x0, ttl 64, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [F.], cksum 0x4db8 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0
^C
18 packets captured
43 packets received by filter
0 packets dropped by kernel

广域网 (192.168.100.0/24)

$ tcpdump -i eth1 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

2018-04-12 13:24:25.427501 IP (tos 0x0, ttl 63, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [S], cksum 0x0886 (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.473954 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x7128 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475333 IP (tos 0x0, ttl 63, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0ff6 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:26.491489 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x701d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494369 IP (tos 0x0, ttl 63, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0dd1 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:29:25.551782 IP (tos 0x0, ttl 63, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [F.], cksum 0xe9c2 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

HTTP 日志记录 (Firefox Quantum)

在 Route Server 后面，我使用了Mozilla Firefox Quantum 的HTTP Logging功能，我得到了这些消息，这些消息不是很清楚（至少对我来说）：

2018-04-10 19:26:31.097581 UTC - [Main Thread]: D/nsHostResolver Resolving host [abs.twimg.com].
2018-04-10 19:26:31.097602 UTC - [Main Thread]: D/nsHostResolver No usable address in cache for host [abs.twimg.com].
2018-04-10 19:26:31.097640 UTC - [Main Thread]: D/nsHostResolver DNS lookup for host [abs.twimg.com] blocking pending 'getaddrinfo' query: callback [0x7f8c647e11f0]
2018-04-10 19:26:31.097656 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [abs.twimg.com].
2018-04-10 19:26:31.221949 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - lookup completed for host [abs.twimg.com]: success.
2018-04-10 19:26:31.221978 UTC - [DNS Resolver #3]: D/nsHostResolver Caching host [abs.twimg.com] record for 60 seconds (grace 60).
2018-04-10 19:26:31.809789 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424160 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, gid=27887222652930 topwinid=180000001]
2018-04-10 19:26:31.809835 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809838 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css
2018-04-10 19:26:31.809961 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424a60 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, gid=27887222652931 topwinid=180000001]
2018-04-10 19:26:31.809990 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809993 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css
2018-04-10 19:26:31.810078 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424b80 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css, gid=27887222652932 topwinid=180000001]
2018-04-10 19:26:31.810106 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.810108 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css
2018-04-10 19:26:31.811307 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811328 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, value=0x7f8c4a7dd7e8]
2018-04-10 19:26:31.811331 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811381 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811398 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd828]
2018-04-10 19:26:31.811402 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811799 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811819 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, value=0x7f8c4a7dd808]
2018-04-10 19:26:31.811823 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811876 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811890 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd848]
2018-04-10 19:26:31.811894 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]

有了所有这些信息，我有以下问题：

• 防火墙规则是否缺少、过多或配置错误？
• 为什么Server Hello包无法到达请求的主机https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css（如 cURL 中所述），但根据tcpdump输出，来自该主机的一些包正在正常遍历 WAN/LAN (eth1/eth2)？

正如我之前所说，来自 LAN 端两个网络的计算机正在使用大量服务，通过 HTTP 或 HTTPS（谷歌、Hotmail、Gmail、银行账户、亚马逊等）......

感谢您的任何互动或猜测:)。