I have a Ubuntu 14 based firewall running IP tables configured through FWBuilder. If I ssh onto the firewall and run
openssl s_client -connect 184.108.40.206:443
I get a full set of responses
CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Paoli/O=Duck Duck Go, Inc./CN=*.duckduckgo.com
etc (there's lots more returned) but if I try it on a client (either a Mac OS X 10.10.5 client or a Linux Raspbrian 7 client), accessing the network through the firewall all I get back is
And nothing else.
Now it isn't all sites. https://www.google.co.uk works on the client as well as the firewall but clearly https://www.duckduckgo.com doesn't so it is something to do with the TLS that these sites are using. I also have the same issue to some IMAP over SSL/TLS hosts but not all... It did work until a recent network outage required a firewall reboot but not now.
I cannot fathom out why I don't get a response and neither can the SAs sat around me come up with any solutions. Any ideas?