我对其中一项服务的 Dockerfile 进行了一些更新，但这些更改在运行时没有反映出来docker-compose build，甚至在使用--no-cache选项时也没有反映出来。

我在运行之前添加了两个两个参数pip install -f requirements.txt，但它们不会在任何时候执行：它直接进入需求步骤。

$ docker-compose build --no-cache
mongo uses an image, skipping
postgres uses an image, skipping
elasticsearch uses an image, skipping
Building nucleo
Step 1/9 : FROM python:3.6
 ---> 2bb3204ab1d1
Step 2/9 : COPY core/ /container_core/
 ---> cc1eadcb80a3
Step 3/9 : WORKDIR /container_core
 ---> Running in e8afa25b9c9a
Removing intermediate container e8afa25b9c9a
 ---> f9b928dee6f5
Step 4/9 : RUN pip install -r requirements.txt
 ---> Running in 84f474edb526
^CERROR: Aborting.

码头工人-compose.yml

services:
    mongo:
        image: "mongo:4.0.5"
        container_name: compose_mongo
        restart: always
        environment:
            - MONGO_INITDB_ROOT_USERNAME=mongo
            - MONGO_INITDB_ROOT_PASSWORD=mongopass
        ports:
            - "27017:27017"
    core:
        build:
            context: /home/ivanleoncz/git/core
            dockerfile: Dockerfile
        container_name: compose_core
        depends_on:
            - mongo
        env_file:
            - .env
        ports:
            - "8000:8000"

Dockerfile

FROM python:3.6
COPY core/ /container_core/
WORKDIR /container_core
# must run before requirements
RUN pip install --upgrade pip
RUN pip install urllib3=1.20
# then, run the requirements
RUN pip install -r requirements.txt
CMD ["python3", "manage.py", "makemigrations", "app1"]
CMD ["python3", "manage.py", "makemigrations", "app2"]
CMD ["python3", "manage.py", "makemigrations", "app3"]
CMD ["python3", "manage.py", "migrate"]
CMD ["python3", "manage.py", "runserver"]

我正在使用 docker-compose 1.21.2 和 Ubuntu 18.04.2。

我如何保证docker-compose没有使用旧版本的 Dockerfile，即使我描述的是我想要执行构建，没有任何缓存（--no-cache）？

我正在使用 Debian Stretch (9.7) 配置 GNU/Linux 路由器，在重新启动服务器之前，从一个接口到另一个接口的所有流量都正常，但在那之后，我收到了这样的消息 (tty)：

enp1s6: Something Wicked happened! ffff.

出于测试目的，我在同一交换机和同一网络上有一台主机，基本上，路由器的 LAN 没有响应回显请求。

这里有一些关于服务器的信息。

内核日志

Jan 25 08:58:02 server001 kernel: [25060.494127] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.494127] 100Mbps, half duplex
Jan 25 08:58:02 server001 kernel: [25060.494254] enp1s6: Something Wicked happened! ffff.
Jan 25 08:58:02 server001 kernel: [25060.497338] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.497557] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.497557] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.499986] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.500206] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.500206] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.500447] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.500667] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.500667] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.500895] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.501114] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.501114] 10Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.501341] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.501559] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.501559] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.503985] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.504204] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.504204] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.504326] enp1s6: Something Wicked happened! ffff.
Jan 25 08:58:02 server001 kernel: [25060.529009] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.529229] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.529230] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.529484] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.529732] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.529735] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.531075] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.531295] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.531296] 100Mbps, half duplex
Jan 25 08:58:02 server001 kernel: [25060.531531] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.531751] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.531751] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.531977] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.532196] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.532196] 100Mbps, half duplex
Jan 25 08:58:02 server001 kernel: [25060.532422] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.532642] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.532642] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.532869] enp1s6: Link up
Jan 25 08:58:02 server001 kernel: [25060.533089] enp1s6: Link changed: 
Jan 25 08:58:02 server001 kernel: [25060.533090] 100Mbps, full duplex
Jan 25 08:58:02 server001 kernel: [25060.533214] enp1s6: Something Wicked happened! ffff.

lspci (nics): enp0s7 + enp1s6

00:07.0 Bridge: NVIDIA Corporation MCP61 Ethernet (rev a2)
    Subsystem: Gigabyte Technology Co., Ltd MCP61 Ethernet
    Flags: bus master, 66MHz, fast devsel, latency 0, IRQ 24, NUMA node 0
    Memory at fe02d000 (32-bit, non-prefetchable) [size=4K]
    I/O ports at f000 [size=8]
    Capabilities: [44] Power Management version 2
    Capabilities: [50] MSI: Enable+ Count=1/8 Maskable+ 64bit+
    Capabilities: [6c] HyperTransport: MSI Mapping Enable- Fixed+
    Kernel driver in use: forcedeth
    Kernel modules: forcedeth

01:06.0 Ethernet controller: Sundance Technology Inc / IC Plus Corp IC Plus IP100A Integrated 10/100 Ethernet MAC + PHY (rev 31)
    Flags: bus master, medium devsel, latency 0, IRQ 16, NUMA node 0
    I/O ports at b000 [size=128]
    Memory at fde00000 (32-bit, non-prefetchable) [size=512]
    [virtual] Expansion ROM at fdf00000 [disabled] [size=64K]
    Capabilities: [50] Power Management version 2
    Kernel driver in use: sundance
    Kernel modules: sundance

ethtool

Settings for enp0s7:
    Supported ports: [ MII ]
    Supported link modes:   10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
                            1000baseT/Full 
    Supported pause frame use: No
    Supports auto-negotiation: Yes
    Advertised link modes:  10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
                            1000baseT/Full 
    Advertised pause frame use: No
    Advertised auto-negotiation: Yes
    Speed: 100Mb/s
    Duplex: Full
    Port: MII
    PHYAD: 3
    Transceiver: external
    Auto-negotiation: on
    Supports Wake-on: g
    Wake-on: d
    Link detected: yes

Settings for enp1s6:
    Supported ports: [ TP MII ]
    Supported link modes:   10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
    Supported pause frame use: No
    Supports auto-negotiation: Yes
    Advertised link modes:  Not reported
    Advertised pause frame use: No
    Advertised auto-negotiation: No
    Speed: 100Mb/s
    Duplex: Full
    Port: MII
    PHYAD: 0
    Transceiver: internal
    Auto-negotiation: off
    Supports Wake-on: pg
    Wake-on: d
    Current message level: 0x00000001 (1)
                   drv
    Link detected: yes

ethtool 统计信息 (enp1s6)

NIC statistics:
     tx_multiple_collisions: 26010
     tx_single_collisions: 27540
     tx_late_collisions: 5100
     tx_deferred: 27030
     tx_deferred_excessive: 26010
     tx_aborted: 6630
     tx_bcasts: 27030
     rx_bcasts: 27032
     tx_mcasts: 5610
     rx_mcasts: 27285

ip地址显示

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp1s6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 84:16:84:16:84:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global enp1s6
       valid_lft forever preferred_lft forever
3: enp0s7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 50:e5:49:64:f6:8b brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.12/24 brd 192.168.0.255 scope global enp0s7
       valid_lft forever preferred_lft forever

lsmod

Module                  Size  Used by
ip6table_filter        16384  0
ip6_tables             28672  1 ip6table_filter
xt_conntrack           16384  2
nf_conntrack_netlink    36864  0
nfnetlink              16384  6 nf_conntrack_netlink
iptable_filter         16384  1
ipt_MASQUERADE         16384  1
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
iptable_nat            16384  1
nf_conntrack_ipv4      16384  3
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 24576  2 nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack          114688  6 nf_conntrack_ipv4,nf_conntrack_netlink,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat
snd_hda_codec_realtek    90112  1
snd_hda_codec_generic    69632  1 snd_hda_codec_realtek
edac_mce_amd           28672  0
edac_core              57344  0
kvm                   598016  0
evdev                  24576  2
ppdev                  20480  0
serio_raw              16384  0
nouveau              1556480  1
joydev                 20480  0
snd_hda_intel          36864  0
mxm_wmi                16384  1 nouveau
snd_hda_codec         135168  3  snd_hda_intel,snd_hda_codec_generic,snd_hda_codec_realtek
wmi                    16384  2 mxm_wmi,nouveau
snd_hda_core           86016  4 snd_hda_intel,snd_hda_codec,snd_hda_codec_generic,snd_hda_codec_realtek
video                  40960  1 nouveau
snd_hwdep              16384  1 snd_hda_codec
ttm                    98304  1 nouveau
drm_kms_helper        155648  1 nouveau
drm                   360448  4 nouveau,ttm,drm_kms_helper
snd_pcm               110592  3 snd_hda_intel,snd_hda_codec,snd_hda_core
irqbypass              16384  1 kvm
sg                     32768  0
pcspkr                 16384  0
k10temp                16384  0
parport_pc             28672  0
parport                49152  2 parport_pc,ppdev
i2c_algo_bit           16384  1 nouveau
button                 16384  1 nouveau
snd_timer              32768  1 snd_pcm
snd                    86016  7 snd_hda_intel,snd_hwdep,snd_hda_codec,snd_timer,snd_hda_codec_generic,snd_hdacodec_realtek,snd_pcm
soundcore              16384  1 snd
acpi_cpufreq           20480  0
ip_tables              24576  3 iptable_filter,iptable_nat
x_tables               36864  6 ip_tables,iptable_filter,ipt_MASQUERADE,ip6table_filter,xt_conntrack,ip6_tables
autofs4                40960  2
ext4                  585728  2
crc16                  16384  1 ext4
jbd2                  106496  1 ext4
fscrypto               28672  1 ext4
ecb                    16384  0
glue_helper            16384  0
lrw                    16384  0
gf128mul               16384  1 lrw
ablk_helper            16384  0
cryptd                 24576  1 ablk_helper
aes_x86_64             20480  1
mbcache                16384  3 ext4
raid10                 49152  0
raid456               106496  0
async_raid6_recov      20480  1 raid456
async_memcpy           16384  2 raid456,async_raid6_recov
async_pq               16384  2 raid456,async_raid6_recov
async_xor              16384  3 async_pq,raid456,async_raid6_recov
async_tx               16384  5 async_xor,async_pq,raid456,async_memcpy,async_raid6_recov
xor                    24576  1 async_xor
raid6_pq              110592  3 async_pq,raid456,async_raid6_recov
libcrc32c              16384  1 raid456
crc32c_generic         16384  3
raid0                  20480  0
multipath              16384  0
linear                 16384  0
raid1                  36864  1
md_mod                135168  6 raid1,raid10,multipath,linear,raid0,raid456
sd_mod                 49152  7
hid_generic            16384  0
usbhid                 53248  0
hid                   122880  2 hid_generic,usbhid
ata_generic            16384  0
ohci_pci               16384  0
psmouse               135168  0
sata_nv                28672  5
forcedeth              69632  0
ehci_pci               16384  0
libata                249856  2 ata_generic,sata_nv
ohci_hcd               53248  1 ohci_pci
ehci_hcd               81920  1 ehci_pci
scsi_mod              225280  3 sd_mod,libata,sg
usbcore               253952  5 usbhid,ehci_hcd,ohci_pci,ohci_hcd,ehci_pci
sundance               32768  0
mii                    16384  1 sundance
usb_common             16384  1 usbcore
i2c_nforce2            16384  0

有什么猜测吗？

请耐心等待：我是前系统管理员（多年以来），现在是软件开发人员。

我有一个配置了路由器、防火墙和代理（透明模式）角色的网络服务器，用于过滤此网络服务器后面的两个网络的网络流量。

来自两个网络的主机都在各种网站（银行、电子邮件、Facebook、Linkedin 等）上正常导航，但 Twitter 网站的情况非常特殊，巧合的是（从一个月前开始），同样的情况开始在 Youtube 和 Pinterest 上发生，但我（现在）并没有把精力集中在最后两个服务上：我认为，如果我能弄清楚 Twitter 发生了什么，我就能弄清楚 Youtube 和 Pinterest 发生了什么（也许...）。

基本上，Twitter 有一个特定的主机/服务器，它也负责提供 .CSS 文件和一些图像。当页面尝试加载时，Web 浏览器上有一条消息，通知TLS handshake with abs.twimg.com...左角（下）类似的东西，并且它保留此消息并且页面无法正确加载，缺乏结构等，可能是因为在我在这里展示的场景中，此主机无法交付的 .CSS。

到目前为止，我确定了主机/服务器，并且我基本上尝试使用curl.

我确定：

• 在 SSL 握手期间，curl不报告有关Server Hello的任何信息
• 主机/服务器，是一个反向代理服务器（X-headers...）

以下是我迄今为止调查的详细信息：

网络拓扑结构

路由表（服务器）

$ ip route
default via 192.168.100.254 dev eth1 
10.255.255.0/26  dev eth2  proto kernel  scope link  src 10.255.255.62 
192.168.0.0/24   dev eth2  proto kernel  scope link  src 192.168.0.1 
192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.1 

IPTABLES/网络过滤器

# Generated by iptables-save v1.4.21 on Wed Aug 30 12:00:31 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Transparent Proxy Rules (SQUID)
-A PREROUTING -i eth2 -s 10.255.255.0/26 -p tcp --dport 80 -j DNAT --to-destination 10.255.255.62:3128
-A PREROUTING -i eth2 -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --sport 80 -j REDIRECT --to-port 3128

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Routing (eth2 [LAN] <-> [WAN] eth1)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allowing Established Connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allowing Localhost Traffic
-A INPUT -i lo -j ACCEPT

# Blocking Localhost Traffic (from unrecognized networks)
-A INPUT ! -i lo -s 127.0.0.1/8 -j REJECT

# ICMP (Ping)
-A INPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED --icmp-type 8 -j ACCEPT

# SSH (Server Remote Access)
-A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

# DNS
-A INPUT -i eth2 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 53 -j ACCEPT

# DHCP
-A INPUT -i eth2 -p udp --dport 67 --sport 68 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 68 --sport 67 -j ACCEPT

# SAMBA File Server (LAN)
-A INPUT -i eth2 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 445 -j ACCEPT

# EMAIL (SMTP)
-A INPUT -i eth2 -p tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 587 -j ACCEPT

# EMAIL (POP)
-A INPUT -i eth2 -p tcp --dport 110 -j ACCEPT

# EMAIL (IMAP)
-A INPUT -i eth2 -p tcp --dport 143 -j ACCEPT

# EMAIL (IMAP over SSL)
-A INPUT -i eth2 -p tcp --dport 993 -j ACCEPT

# EMAIL (POP over SSL)
-A INPUT -i eth2 -p tcp --dport 995 -j ACCEPT

# PRINTER
-A INPUT -i eth2 -p tcp --dport 515 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 631 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 9100 -j ACCEPT

# SQUID3 (see table nat)
-A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT

# Log all incoming traffic that is not listed above...
-A INPUT -i eth2 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-lan] " --log-level 7
-A INPUT -i eth1 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-wan] " --log-level 7

# Rejecting everything not listed above.
-A INPUT -j REJECT

# Accepting OUTPUT of everything, on any interface.
-A OUTPUT -j ACCEPT

卷发

路由服务器背后

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 104.244.46.199...
Connected to abs.twimg.com (104.244.46.199) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
Operation timed out after 0 milliseconds with 0 out of 0 bytes received Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

通过路由服务器

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 72.21.91.70...
Connected to abs.twimg.com (72.21.91.70) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12): SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSL connection using ECDHE-RSA-AES128-GCM-SHA256
Server certificate: subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=.twimg.com start date: 2017-12-02 00:00:00 GMT
expire date: 2018-12-05 12:00:00 GMT subjectAltName: abs.twimg.com matched
issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA SSL certificate verify ok.

GET /a/1425667452/css/t1/twitter_core.bundle.css HTTP/1.1
User-Agent: curl/7.35.0
Host: abs.twimg.com
Accept: /

< HTTP/1.1 200 OK
< access-control-allow-origin:
< Content-Type: text/css
< Date: Thu, 12 Apr 2018 16:48:28 GMT
< Etag: "guajswzGI2hE0uFUU9DNaw==+ident"
< expires: Fri, 12 Apr 2019 16:48:28 GMT
< Last-Modified: Fri, 06 Nov 2015 01:38:59 GMT Server ECS (dfw/2788) is not blacklisted
< Server: ECS (dfw/2788)
< surrogate-key: twitter-assets
< Vary: Accept-Encoding
< X-Cache: HIT
< x-connection-hash: b9f823e9ff63b5f7f0bd142be924c75b
< x-content-type-options: nosniff
< x-response-time: 33
< x-ton-expected-size: 225802
< Content-Length: 225802
<
/! normalize.css v3.0.0 | MIT License | git.io/normalize /html{font-family:sans-serif;

TCPDUMP

• 在我从 Route Server 后面的主机之一执行 cURL 时执行
• 我使用了不同的 IP，abs.twimg.com因为该主机的 DNS 解析是动态的（它后面有很多 IP），在这种情况下，IP 是104.244.46.231
• 查看 LAN 端的 tcpdump，这个 IP 有两个包，从 eth1（WAN）遍历到 eth2（LAN）

局域网 (192.168.0.0/24 + 10.255.255.0/26)

$ tcpdump -i eth2 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes


2018-04-12 13:24:25.427316 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [S], cksum 0x6c7b (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.474012 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd51d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475244 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x73eb (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:25.476080 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4480 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 295
2018-04-12 13:24:25.723055 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4442 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702836 ecr 2426425241], length 295
2018-04-12 13:24:25.971095 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4404 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702898 ecr 2426425241], length 295
2018-04-12 13:24:26.467091 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4388 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703022 ecr 2426425241], length 295
2018-04-12 13:24:26.491546 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd412 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494245 IP (tos 0x0, ttl 64, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x71c6 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:24:27.459109 IP (tos 0x0, ttl 64, id 15113, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4290 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703270 ecr 2426425241], length 295
2018-04-12 13:24:29.447605 IP (tos 0x0, ttl 64, id 15114, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x409f (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703767 ecr 2426425241], length 295
2018-04-12 13:24:33.420240 IP (tos 0x0, ttl 64, id 15115, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x3cbe (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3704760 ecr 2426425241], length 295
2018-04-12 13:24:41.371165 IP (tos 0x0, ttl 64, id 15116, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x34fa (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3706748 ecr 2426425241], length 295
2018-04-12 13:24:57.259220 IP (tos 0x0, ttl 64, id 15117, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x2576 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3710720 ecr 2426425241], length 295
2018-04-12 13:25:29.067129 IP (tos 0x0, ttl 64, id 15118, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x0666 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3718672 ecr 2426425241], length 295
2018-04-12 13:26:32.748577 IP (tos 0x0, ttl 64, id 15119, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0xc835 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3734592 ecr 2426425241], length 295

2018-04-12 13:28:32.811394 IP (tos 0x0, ttl 64, id 15120, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x52f5 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3764608 ecr 2426425241], length 295

2018-04-12 13:29:25.551683 IP (tos 0x0, ttl 64, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [F.], cksum 0x4db8 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0
^C
18 packets captured
43 packets received by filter
0 packets dropped by kernel

广域网 (192.168.100.0/24)

$ tcpdump -i eth1 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

2018-04-12 13:24:25.427501 IP (tos 0x0, ttl 63, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [S], cksum 0x0886 (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.473954 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x7128 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475333 IP (tos 0x0, ttl 63, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0ff6 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:26.491489 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x701d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494369 IP (tos 0x0, ttl 63, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0dd1 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:29:25.551782 IP (tos 0x0, ttl 63, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [F.], cksum 0xe9c2 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

HTTP 日志记录 (Firefox Quantum)

在 Route Server 后面，我使用了Mozilla Firefox Quantum 的HTTP Logging功能，我得到了这些消息，这些消息不是很清楚（至少对我来说）：

2018-04-10 19:26:31.097581 UTC - [Main Thread]: D/nsHostResolver Resolving host [abs.twimg.com].
2018-04-10 19:26:31.097602 UTC - [Main Thread]: D/nsHostResolver No usable address in cache for host [abs.twimg.com].
2018-04-10 19:26:31.097640 UTC - [Main Thread]: D/nsHostResolver DNS lookup for host [abs.twimg.com] blocking pending 'getaddrinfo' query: callback [0x7f8c647e11f0]
2018-04-10 19:26:31.097656 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [abs.twimg.com].
2018-04-10 19:26:31.221949 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - lookup completed for host [abs.twimg.com]: success.
2018-04-10 19:26:31.221978 UTC - [DNS Resolver #3]: D/nsHostResolver Caching host [abs.twimg.com] record for 60 seconds (grace 60).
2018-04-10 19:26:31.809789 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424160 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, gid=27887222652930 topwinid=180000001]
2018-04-10 19:26:31.809835 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809838 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css
2018-04-10 19:26:31.809961 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424a60 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, gid=27887222652931 topwinid=180000001]
2018-04-10 19:26:31.809990 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809993 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css
2018-04-10 19:26:31.810078 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424b80 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css, gid=27887222652932 topwinid=180000001]
2018-04-10 19:26:31.810106 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.810108 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css
2018-04-10 19:26:31.811307 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811328 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, value=0x7f8c4a7dd7e8]
2018-04-10 19:26:31.811331 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811381 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811398 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd828]
2018-04-10 19:26:31.811402 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811799 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811819 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, value=0x7f8c4a7dd808]
2018-04-10 19:26:31.811823 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811876 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811890 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd848]
2018-04-10 19:26:31.811894 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]

有了所有这些信息，我有以下问题：

• 防火墙规则是否缺少、过多或配置错误？
• 为什么Server Hello包无法到达请求的主机https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css（如 cURL 中所述），但根据tcpdump输出，来自该主机的一些包正在正常遍历 WAN/LAN (eth1/eth2)？

正如我之前所说，来自 LAN 端两个网络的计算机正在使用大量服务，通过 HTTP 或 HTTPS（谷歌、Hotmail、Gmail、银行账户、亚马逊等）......

感谢您的任何互动或猜测:)。

自2017 年以来，Jenkins 放弃了对 Java 7 的支持，现在开始使用 Java 8。

我正在尝试在 Debian Jessie（docker 容器）上安装 Jenkins，并且我正在使用通过此链接获得的以下过程：

wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins

在程序的最后一步，发生了这样的事情：

$ apt-get install jenkins
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have 
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 jenkins : Depends: default-jre-headless (>= 2:1.8) but 2:1.7-52 is to be installed or
                java8-runtime-headless but it is not installable
E: Unable to correct problems, you have held broken packages.

我在这里找到了解决方案：

$ apt install -t jessie-backports  openjdk-8-jre-headless ca-certificates-java

无论如何，我设法安装了 Jenkins，但是当启动 Jenkins 时，会发生这种情况：

$ sudo /etc/init.d/jenkins start
[FAIL] Starting Jenkins Automation Server: jenkins failed!


$ tail -f /var/log/jenkins/jenkins.log 
Jenkins requires Java8 or later, but you are running 1.7.0_151-b01
from /usr/lib/jvm/java-7-openjdk-amd64/jre
  java.lang.UnsupportedClassVersionError: 51.0
    at Main.main(Main.java:124)

例如，我是否必须将 Java 8 安装到 Debian Jessie？

我正在开发一个强制门户系统，并且（现在），我想知道是否有任何方法可以阻止透明代理设置上的 HTTPS 流量。

这是我所拥有的：一个 GNU/Linux 路由器 (Netfilter)，运行 Squid v3.4.8，其接口配置如下。

eth2（局域网）： 192.168.0.0/24、172.16.255.1/27、10.255.255.0/24

eth1（广域网）： 192.168.100.0/24

这是我现在拥有的防火墙规则，即使我使用这样的规则，对于特定的 IP，它也不起作用：

-A INPUT -i eth2 -p tcp -s 192.168.0.11 --dport 443 -j REJECT

我可能错过了一些重要的东西（对不起，如果我太盲目了......）。我只是想不通，为什么我不能简单地拒绝对来自我网络的特定 IP 的目标端口 443 的访问。

我正在使用PREROUTING规则，但它们都将目标流量路由到 80 (HTTP) 到 3128 (Squid)。

*nat
:PREROUTING ACCEPT [19:2473]
:INPUT ACCEPT [13:2173]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

######### SQUID (Transparent Proxy Rules) #########

-A PREROUTING -i eth2 -s 192.168.0.0/24  -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A PREROUTING -i eth2 -s 172.16.255.0/27 -p tcp --dport 80 -j DNAT --to-destination 172.16.255.1:3128
-A PREROUTING -i eth2 -s 10.255.255.0/26 -p tcp --dport 80 -j DNAT --to-destination 10.255.255.1:3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --sport 80 -j REDIRECT --to-port 3128

###################################################

COMMIT

*filter
:INPUT ACCEPT [18:2650]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33:3188]


########## Basic Setup + Network Traffic #########

### Default Policies
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

### ICMP (all interfaces)
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

### Allow Traffic (loopback/localhost/127.0.0.1)
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

### Allow Traffic (LAN)
-A INPUT -i eth2 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT

####################################################



################ Essential Services ################

### SSH (Access to Server Shell - Command Line)
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

### DNS (Translation of Names to IP Addresses)
-A INPUT -i eth1 -p udp --sport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp --sport 53 -j ACCEPT

### NTP (Server Clock and DHCP Clock)
-A INPUT -i eth1 -p udp --sport 123 -j ACCEPT

### SAMBA (File Server)
# WAN
-A INPUT -i eth1 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 137 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 138 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 139 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 445 -j ACCEPT
# LAN
-A INPUT -i eth2 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 445 -j ACCEPT

### EMAIL       
# SMTP
-A INPUT -i eth2 -p tcp --sport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 587 -j ACCEPT
# POP/POP over SSL
-A INPUT -i eth2 -p tcp --sport 110 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 995 -j ACCEPT
# IMAP/IMAP over SSL
-A INPUT -i eth2 -p tcp --sport 143 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 993 -j ACCEPT

### Ubiquiti

-A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8081 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8443 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8880 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8843 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 27117 -j ACCEPT

-A INPUT -i eth2 -p tcp --sport 8080 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8081 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8443 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8880 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8843 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 27117 -j ACCEPT

####################################################



############### Additional Services ################

### VNC 
-A INPUT -i eth1 -p tcp --dport 5800 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 5900 -j ACCEPT

### DROPBOX

# LanSync
-A INPUT -i eth2 -p udp --dport 17500 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17500 -j ACCEPT
# OpenButton
-A INPUT -i eth2 -p udp --dport 17600 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17600 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 17603 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17603 -j ACCEPT

### Apple Services

# APNS (Apple Push Notification Service - iCloud)
-A INPUT -i eth2 -p tcp --dport 5223 -j ACCEPT

####################################################



######## Network Traffic + Logging + Router ########

### Allow Traffic for Opened Connections (ESTABLISHED, RELATED)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Log All Traffic (syslog)
-A INPUT -j LOG --log-prefix "[netfilter] "

### Routing Configuration (eth2 [LAN] <-> [WAN] eth1)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

####################################################

COMMIT

任何帮助将非常感激。

根据维基百科：

HTTP CONNECT 隧道

在 HTTP 代理服务器后面时，HTTP 隧道的一种变体是使用“CONNECT”HTTP 方法。1 [2] 在这种机制中，客户端要求 HTTP 代理服务器将 TCP 连接转发到所需的目的地。然后服务器继续代表客户端建立连接。一旦服务器建立了连接，代理服务器将继续代理与客户端之间的 TCP 流。请注意，只有初始连接请求是 HTTP - 之后，服务器只是代理已建立的 TCP 连接。

这种机制是 HTTP 代理后面的客户端如何使用 SSL 或 TLS（即 HTTPS）访问网站。

并非所有 HTTP 代理服务器都支持此功能，甚至那些支持此功能的服务器也可能会限制该行为（例如，仅允许连接到默认的 HTTPS 端口 443，或阻止似乎不是 SSL 的流量）。

我的问题是：

我可以阻止对网站的访问，即使（稍后）访问和流量是 HTTPS，但具有初始 HTTP 请求？

我正在尝试做这样的事情，但它不起作用：

acl social_networks dstdomain "/etc/squid3/acls/social_networks.acl"
http_access deny CONNECT social_networks all

尽管我正在考虑该CONNECT方法，但此 ACL 中对网站的访问仍然有效。

我的网络上有一个运行 Debian Jessie 8.7 的 Filer Server，带有 Samba 4.2.14。

到目前为止，我只为整个网络配置了一个共享文件夹，我想看看这个共享上是否有打开的文件。

• 运行时smbstatus -L，它不指向任何打开文件或锁定文件的任何信息。

  $  smbstatus -L
  Registered MSG_REQ_POOL_USAGE
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
  No locked files
  

• 使用lsof，它只为我提供有关在服务器的本地文件系统上使用共享文件夹的进程的信息。

  $ lsof | grep backup
  smbd      1432      root  cwd    DIR     8,9     4096       2 /backup/local
  

• 同样使用fuser，它不提供有关打开文件或锁定文件的任何信息。它只显示正在使用服务器本地文件系统上的共享文件夹的 sPID。

  $ fuser /backup/local
  /backup/local:  1432c
  

还有一些其他选项可以跟踪打开的文件，例如：

• 使用 Shellscript，列出所有带有.doc、.docx、.xls、.xlsx等扩展名的文件，并创建一个if [ -f ".~lock.new_document.docx#" ] ; then以定义是否打开 Microsoft Office 文件，但这种解决方法不是我在找什么。

• 使用VFS 模块对共享文件夹中的任何文件进行审计操作可能是 Shellscript 的来源，但这并不实用。

有没有人可能知道任何可以列出 Samba 共享文件夹中打开/锁定文件的工具，因为这smbstatus -L似乎不是解决这个问题的选项？

我正在尝试在 KVM 上使用不同的存储池来存储我的虚拟机的虚拟磁盘以及我正在使用的操作系统的 ISO。

例如：我想使用/media/work/kvm挂载的目录/dev/sda5，作为未来所有情况的默认存储池

要配置、创建和启动一个新的存储池，这很容易，但至少在 Ubuntu 中，如果我从不同的存储池中选择 ISO 并不重要，Virtual Machine Manager总是将我指向默认存储池 ( /var/cache/libvirt) 作为将创建来自我的 VM 的虚拟磁盘的存储。

我怎样才能避免这种情况？

我从Maven Repo下载了 Java 的 JSON 库，并在 UBuntu 14.04 的 Java 库目录中安装了 .JAR 文件。我尝试为 JSON 解析编译一个简单的 JAVA 片段，但编译器 (javac) 告诉我“org.json”库不存在..

这里有一些细节。

$ echo $CLASSPATH
/usr/share/java

$ ll /usr/share/java/json*
-rw-r--r-- 1 root root 49176 Jun 12 22:31 /usr/share/java/json-20160212.jar

$ jar tf /usr/share/java/json-20160212.jar 
META-INF/MANIFEST.MF
META-INF/
META-INF/maven/
META-INF/maven/org.json/
META-INF/maven/org.json/json/
META-INF/maven/org.json/json/pom.properties
META-INF/maven/org.json/json/pom.xml
org/
org/json/
org/json/CDL.class
org/json/Cookie.class
org/json/CookieList.class
org/json/HTTP.class
org/json/HTTPTokener.class
org/json/JSONArray.class
org/json/JSONException.class
org/json/JSONML.class
org/json/JSONObject$1.class
org/json/JSONObject$Null.class
org/json/JSONObject.class
org/json/JSONString.class
org/json/JSONStringer.class
org/json/JSONTokener.class
org/json/JSONWriter.class
org/json/Property.class
org/json/XML.class
org/json/XMLTokener.class

$ javac JsonParser.java 
JsonParser.java:1: error: package org.json does not exist
import org.json.*;
^
1 error

如果我已经设置了 $CLASSPATH，为什么 Java 编译器会告诉我该库不存在，而它确实存在？