Eu tenho um Network Server configurado com as funções Roteador, Firewall e Proxy (Modo Transparente), para filtrar o tráfego de rede de duas redes por trás deste Network Server.

Os hosts de ambas as redes estão navegando normalmente em sites de todos os tipos (bancos, e-mails, Facebook, Linkedin, etc.), mas há uma situação muito específica no site do Twitter e por coincidência (há um mês) , o mesmo começou a acontecer com o Youtube e o Pinterest, mas eu não estou concentrando meus esforços (agora) nestes dois últimos serviços: eu acho que, se eu puder descobrir o que está acontecendo com o Twitter, eu posso descobrir o que está acontecendo com Youtube e Pinterest (talvez ...).

Basicamente, existe um servidor / servidor específico do Twitter, que é responsável por entregar arquivos .CSS e algumas imagens também. Enquanto a página está tentando carregar, há uma mensagem no Navegador da Web informando algo como TLS handshake with abs.twimg.com... no canto esquerdo (abaixo), e ela mantém essa mensagem e a página não carrega corretamente, sem estrutura, etc., provavelmente por causa dos .CSSs que não podem ser entregues por esse host, no cenário que estou apresentando aqui.

Até agora, identifiquei o host / servidor e basicamente tentei executar uma solicitação simples com curl .

Identifiquei que:

• durante o handshake SSL, curl não informa nada sobre Server Hello
• o host / servidor, é um servidor proxy reverso (cabeçalhos X ...)

Aqui estão os detalhes da minha investigação até agora:

Topologia de rede

Tabeladeroteamento(servidor)

$iproutedefaultvia192.168.100.254deveth110.255.255.0/26deveth2protokernelscopelinksrc10.255.255.62192.168.0.0/24deveth2protokernelscopelinksrc192.168.0.1192.168.100.0/24deveth1protokernelscopelinksrc192.168.100.1

IPTABLES/Netfilter

#Generatedbyiptables-savev1.4.21onWedAug3012:00:312017*nat:PREROUTINGACCEPT[0:0]:INPUTACCEPT[0:0]:OUTPUTACCEPT[0:0]:POSTROUTINGACCEPT[0:0]#TransparentProxyRules(SQUID)-APREROUTING-ieth2-s10.255.255.0/26-ptcp--dport80-jDNAT--to-destination10.255.255.62:3128-APREROUTING-ieth2-s192.168.0.0/24-ptcp--dport80-jDNAT--to-destination192.168.0.1:3128-APOSTROUTING-oeth1-jMASQUERADE-APREROUTING-ieth1-ptcp--sport80-jREDIRECT--to-port3128COMMIT*filter:INPUTACCEPT[0:0]:FORWARDACCEPT[0:0]:OUTPUTACCEPT[0:0]#Routing(eth2[LAN]<->[WAN]eth1)-AFORWARD-ieth2-oeth1-jACCEPT-AFORWARD-ieth1-oeth2-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT#AllowingEstablishedConnections-AINPUT-mconntrack--ctstateESTABLISHED,RELATED-jACCEPT#AllowingLocalhostTraffic-AINPUT-ilo-jACCEPT#BlockingLocalhostTraffic(fromunrecognizednetworks)-AINPUT!-ilo-s127.0.0.1/8-jREJECT#ICMP(Ping)-AINPUT-picmp-mconntrack--ctstateNEW,ESTABLISHED,RELATED--icmp-type8-jACCEPT#SSH(ServerRemoteAccess)-AINPUT-ieth2-ptcp--dport22-jACCEPT#DNS-AINPUT-ieth2-pudp--dport53-jACCEPT-AINPUT-ieth2-ptcp--dport53-jACCEPT#DHCP-AINPUT-ieth2-pudp--dport67--sport68-jACCEPT-AINPUT-ieth2-pudp--dport68--sport67-jACCEPT#SAMBAFileServer(LAN)-AINPUT-ieth2-pudp--dport137-jACCEPT-AINPUT-ieth2-ptcp--dport137-jACCEPT-AINPUT-ieth2-pudp--dport138-jACCEPT-AINPUT-ieth2-ptcp--dport138-jACCEPT-AINPUT-ieth2-pudp--dport139-jACCEPT-AINPUT-ieth2-ptcp--dport139-jACCEPT-AINPUT-ieth2-pudp--dport445-jACCEPT-AINPUT-ieth2-ptcp--dport445-jACCEPT#EMAIL(SMTP)-AINPUT-ieth2-ptcp--dport25-jACCEPT-AINPUT-ieth2-ptcp--dport587-jACCEPT#EMAIL(POP)-AINPUT-ieth2-ptcp--dport110-jACCEPT#EMAIL(IMAP)-AINPUT-ieth2-ptcp--dport143-jACCEPT#EMAIL(IMAPoverSSL)-AINPUT-ieth2-ptcp--dport993-jACCEPT#EMAIL(POPoverSSL)-AINPUT-ieth2-ptcp--dport995-jACCEPT#PRINTER-AINPUT-ieth2-ptcp--dport515-jACCEPT-AINPUT-ieth2-ptcp--dport631-jACCEPT-AINPUT-ieth2-ptcp--dport9100-jACCEPT#SQUID3(seetablenat)-AINPUT-ieth2-ptcp--dport3128-jACCEPT#Logallincomingtrafficthatisnotlistedabove...-AINPUT-ieth2-mlimit--limit1/min-jLOG--log-prefix"[netfilter-drop-in-lan] " --log-level 7
-A INPUT -i eth1 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-wan] " --log-level 7

# Rejecting everything not listed above.
-A INPUT -j REJECT

# Accepting OUTPUT of everything, on any interface.
-A OUTPUT -j ACCEPT

cURLs

Atrás do servidor de rotas

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 104.244.46.199...
Connected to abs.twimg.com (104.244.46.199) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
Operation timed out after 0 milliseconds with 0 out of 0 bytes received Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

Passando o Servidor de Rota

$ curl https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 72.21.91.70...
Connected to abs.twimg.com (72.21.91.70) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12): SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSL connection using ECDHE-RSA-AES128-GCM-SHA256
Server certificate: subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=.twimg.com start date: 2017-12-02 00:00:00 GMT
expire date: 2018-12-05 12:00:00 GMT subjectAltName: abs.twimg.com matched
issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA SSL certificate verify ok.

GET /a/1425667452/css/t1/twitter_core.bundle.css HTTP/1.1
User-Agent: curl/7.35.0
Host: abs.twimg.com
Accept: /

< HTTP/1.1 200 OK
< access-control-allow-origin:
< Content-Type: text/css
< Date: Thu, 12 Apr 2018 16:48:28 GMT
< Etag: "guajswzGI2hE0uFUU9DNaw==+ident"
< expires: Fri, 12 Apr 2019 16:48:28 GMT
< Last-Modified: Fri, 06 Nov 2015 01:38:59 GMT Server ECS (dfw/2788) is not blacklisted
< Server: ECS (dfw/2788)
< surrogate-key: twitter-assets
< Vary: Accept-Encoding
< X-Cache: HIT
< x-connection-hash: b9f823e9ff63b5f7f0bd142be924c75b
< x-content-type-options: nosniff
< x-response-time: 33
< x-ton-expected-size: 225802
< Content-Length: 225802
<
/! normalize.css v3.0.0 | MIT License | git.io/normalize /html{font-family:sans-serif;

TCPDUMP

• foi executado enquanto eu executava uma cURL de um dos hosts por trás do servidor de roteamento
• usei IPs diferentes para abs.twimg.com porque a resolução de DNS desse host é dinâmica (muitos IPs por trás dele) e, nesse caso, o IP era 104.244.46.231
• olhando para o tcpdump para o lado da LAN, existem dois pacotes deste IP, passando de eth1 (WAN) para eth2 (LAN)

LAN (192.168.0.0/24 + 10.255.255.0/26)

$ tcpdump -i eth2 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes


2018-04-12 13:24:25.427316 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [S], cksum 0x6c7b (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.474012 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd51d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475244 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x73eb (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:25.476080 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4480 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 295
2018-04-12 13:24:25.723055 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4442 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702836 ecr 2426425241], length 295
2018-04-12 13:24:25.971095 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4404 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702898 ecr 2426425241], length 295
2018-04-12 13:24:26.467091 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4388 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703022 ecr 2426425241], length 295
2018-04-12 13:24:26.491546 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd412 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494245 IP (tos 0x0, ttl 64, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x71c6 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:24:27.459109 IP (tos 0x0, ttl 64, id 15113, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4290 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703270 ecr 2426425241], length 295
2018-04-12 13:24:29.447605 IP (tos 0x0, ttl 64, id 15114, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x409f (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703767 ecr 2426425241], length 295
2018-04-12 13:24:33.420240 IP (tos 0x0, ttl 64, id 15115, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x3cbe (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3704760 ecr 2426425241], length 295
2018-04-12 13:24:41.371165 IP (tos 0x0, ttl 64, id 15116, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x34fa (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3706748 ecr 2426425241], length 295
2018-04-12 13:24:57.259220 IP (tos 0x0, ttl 64, id 15117, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x2576 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3710720 ecr 2426425241], length 295
2018-04-12 13:25:29.067129 IP (tos 0x0, ttl 64, id 15118, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x0666 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3718672 ecr 2426425241], length 295
2018-04-12 13:26:32.748577 IP (tos 0x0, ttl 64, id 15119, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0xc835 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3734592 ecr 2426425241], length 295

2018-04-12 13:28:32.811394 IP (tos 0x0, ttl 64, id 15120, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x52f5 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3764608 ecr 2426425241], length 295

2018-04-12 13:29:25.551683 IP (tos 0x0, ttl 64, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [F.], cksum 0x4db8 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0
^C
18 packets captured
43 packets received by filter
0 packets dropped by kernel

WAN (192.168.100.0/24)

$ tcpdump -i eth1 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

2018-04-12 13:24:25.427501 IP (tos 0x0, ttl 63, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [S], cksum 0x0886 (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.473954 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x7128 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475333 IP (tos 0x0, ttl 63, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0ff6 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:26.491489 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x701d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494369 IP (tos 0x0, ttl 63, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0dd1 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0

2018-04-12 13:29:25.551782 IP (tos 0x0, ttl 63, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [F.], cksum 0xe9c2 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Registro HTTP (Firefox Quantum)

Atrás do servidor de rotas, usei o recurso Registro HTTP do Mozilla Firefox Quantum , Recebi estas mensagens, que não são tão claras (pelo menos para mim):

2018-04-10 19:26:31.097581 UTC - [Main Thread]: D/nsHostResolver Resolving host [abs.twimg.com].
2018-04-10 19:26:31.097602 UTC - [Main Thread]: D/nsHostResolver No usable address in cache for host [abs.twimg.com].
2018-04-10 19:26:31.097640 UTC - [Main Thread]: D/nsHostResolver DNS lookup for host [abs.twimg.com] blocking pending 'getaddrinfo' query: callback [0x7f8c647e11f0]
2018-04-10 19:26:31.097656 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [abs.twimg.com].
2018-04-10 19:26:31.221949 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - lookup completed for host [abs.twimg.com]: success.
2018-04-10 19:26:31.221978 UTC - [DNS Resolver #3]: D/nsHostResolver Caching host [abs.twimg.com] record for 60 seconds (grace 60).
2018-04-10 19:26:31.809789 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424160 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, gid=27887222652930 topwinid=180000001]
2018-04-10 19:26:31.809835 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809838 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css
2018-04-10 19:26:31.809961 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424a60 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, gid=27887222652931 topwinid=180000001]
2018-04-10 19:26:31.809990 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.809993 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css
2018-04-10 19:26:31.810078 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424b80 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css, gid=27887222652932 topwinid=180000001]
2018-04-10 19:26:31.810106 UTC - [Main Thread]: V/nsHttp host=abs.twimg.com port=-1
2018-04-10 19:26:31.810108 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_2.bundle.css
2018-04-10 19:26:31.811307 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811328 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css, value=0x7f8c4a7dd7e8]
2018-04-10 19:26:31.811331 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_core.bundle.css]
2018-04-10 19:26:31.811381 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811398 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd828]
2018-04-10 19:26:31.811402 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811799 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811819 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css, value=0x7f8c4a7dd808]
2018-04-10 19:26:31.811823 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_twitter_more_1.bundle.css]
2018-04-10 19:26:31.811876 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811890 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd848]
2018-04-10 19:26:31.811894 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]

Com todas essas informações, tenho a seguinte pergunta:

• Existe alguma falta, excesso ou má configuração das regras do Firewall?
• Por que os pacotes Server Hello não conseguem acessar o host que solicitou https://abs.twimg.com/a/1425667452/css/t1/twitter_core.bundle.css (conforme descrito no cURLs), mas alguns pacotes desse host estão passando pela WAN / LAN (eth1 / eth2 ) normalmente, de acordo com tcpdump output?

Como eu disse antes, os computadores das duas redes no lado da LAN estão usando muitos serviços, seja via HTTP ou HTTPS (Google, Hotmail, Gmail, Contas Bancárias, Amazon, etc.) ...

Obrigado por qualquer interação ou palpite:).