A few weeks ago, I traveled through China, a country famous for two great walls: the 13k+ mile stone one you can walk on,
And the Great Firewall (GFW), a machine.
This post covers how their country-wide firewall works.
TLDR; A mirror of every packet gets scanned against a blocklist in milliseconds, and if you hit one, a forged reply is fired back to kill the connection before the real server's answer can arrive. The whole system is a bet that a spoofed packet, sent from closer, beats the truth.
The shape of China's internet
China adopted the internet (reluctantly) around the same time that the rest of the world did in 1994. The CCP initially pushed back and believed the internet would do more harm than good, and tried to stop citizens from accessing it. Running a propaganda machine is hard enough, imagine introducing the internet: a place where anyone could publish information and anyone with access could consume it.
Today, nearly all traffic between China and the outside world crosses through a small number of international gateways run by three state carriers (China Telecom, China Unicom, China Mobile), landing at roughly ten backbone access points tied to submarine-cable stations.
The system grew out of the Golden Shield Project, spun up in 1998 under chief architect Fang Binxing, the "father of the Great Firewall."
In-path vs on-path
A firewall is a filter between two networks deciding which packets live and which die. There are two ways to wire one, and the difference controls everything downstream.
In-path (inline) means the box (a dedicated firewall or DPI appliance, or filtering built into the border router itself) physically sits in the traffic path. Every packet routes through it, so it can drop, delay, or rewrite anything. This is total control, but at scale it becomes a bottleneck and SPOF, and sizing an inline box for a country's entire border bandwidth is as expensive as you can imagine.
On-path means the box sits off to the side and gets a copy of the traffic via a tap. It observes everything but cannot stop a packet already in flight. Its only weapon is to inject forged packets and hope they arrive first. The GFW is on-path, sometimes called "inline passive," and that constraint is why it must win a physical race rather than simply drop your data (Censored Planet, Marczak et al. 2015).
Since injected packets and the real packets coexist, you can observe both.
The hardware: tap, detect, inject
There are three physical stages, and they run as separate systems.
1. Tap: The router copies the packet.
The gateway router copies every passing packet at line rate, either through an optical splitter (a prism on the fiber that duplicates the light) or a SPAN port (switched port analyzer, a router feature that mirrors traffic to another port).
The copy is made at the router's ASIC / NP layer (application-specific chip and network processor that forward packets in hardware, not the CPU), so the original packet keeps moving with zero added latency (hardware DPI overview).
2. Detect: They inspect the info in the packet.
The mirrored copies fan out to a cluster of DPI boxes (deep packet inspection), sourced largely from Huawei and ZTE. One link carries more traffic than any single box can handle, so the cluster load-balances. Every packet in a given TCP connection is hashed to the same process, so that process can hold the connection's state.
These detectors reassemble IP fragments and TCP segments, track the handshake, and (since late 2008) just inspect the first HTTP GET or the TLS handshake rather than every individual packet. Unfortunately, hashing to process is also a weakness. If the outbound and return paths of a connection traverse different gateways (asymmetric routing), no single process sees the whole flow, and the firewall can miss it.1
3. Inject: Send a fake packet to race the "bad" packet to the requester.
When a detector matches a rule, it signals a separate injector that spoofs packets straight back onto the link: a forged DNS answer, or a forged TCP reset. Sensing and injection are different planes, which is why the firewall can be both omniscient and unable to actually block an in-flight packet.

What happens to the packet
These are the 3 mechanisms, in order of how early they fire.
DNS poisoning
Before your phone reaches Google it asks a resolver "what IP is google.com?" over DNS, with a single UDP packet. The injector sees the query and fires back a forged A-record pointing at a bogus IP pulled from a fixed rotation pool (researchers catalogued 592 addresses cycled deterministically).
Because the injector is physically closer than the real resolver, its answer usually wins, and your resolver caches the lie.
To watch the tampering from the US, use a vantage point that already lives inside China: GreatFire and OONI Explorer both probe from within the border and log the poisoned DNS in real time.
TCP RST injection
If DNS resolves and a TCP connection opens, content inspection kicks in. The detector reads the first HTTP GET (or TLS handshake) and matches the URL and payload against a keyword blacklist.
On a hit, the injector forges RST packets (the TCP reset flag that tells both ends "tear this connection down now") aimed at the client and the server.
The forged reset is a precise impersonation. Here's what's in it versus the real thing:
forged RST from the GFW legitimate packet from Google
-------------------------------- --------------------------------
src IP = Google's IP (spoofed) src IP = Google's IP (real)
seq/ack = lifted from the seq/ack = correct by construction
handshake it observed
flags = RST (or RST/ACK) flags = ACK / PSH
TTL = wrong: hops from the TTL = consistent with the
injector, not Google real path from Google
That TTL mismatch is gives it away; the forged packet took a different number of hops than a genuine one, which is how the injection is detected. The GFW sends several RSTs with different ACK numbers so at least one lands even if Google's real data arrives first, then holds a per-flow block on that source/dest/port tuple for minutes at a time.
SNI and DPI over TLS
HTTPS encrypts the payload but leaks the destination. When your browser opens a TLS connection it sends the hostname in cleartext inside the SNI field (Server Name Indication, the "which site am I asking for" hint). The DPI cluster parses the ClientHello, reads the SNI, and resets the connection if the name is on the block list.
The fix is ECH (Encrypted Client Hello, which encrypts the SNI too), successor to ESNI. China responded by blocking ESNI-style handshakes wholesale in 2020. If the firewall can't read the "label," it drops the whole packet. QUIC is the next contested surface for the same reason.
The arms race
Every block seeds a workaround, and every workaround a better block.
Round one was the VPN. It worked until the firewall learned to fingerprint the legacy protocols: IPSec, L2TP, and PPTP all ride fixed ports and leave handshake traces, so the GFW throttles or resets anything shaped like them. While most VPNs are blocked, there are a handful of VPN providers that work around these restrictions (explaining them would require another post).
Then the tunnels learned to hide. Shadowsocks and V2Ray wrap your traffic to resemble ordinary HTTPS, and Trojan goes further by sitting behind a real TLS certificate so it reads as a plain website. The firewall answered with active probing: when it spots a suspicious server, it opens its own connection and speaks proxy protocols at it, and if the server answers like a proxy, the IP gets blacklisted.
The solution to that was obfs4 stays silent unless the client proves an out-of-band shared secret, so a prober that doesn't already know the key gets nothing back.
The 2025 leak of Geedge Networks' Tiangou Secure Gateway shows ML classifiers that flag tunnels by traffic shape (packet sizes, timing, flow fingerprints) without having to read a payload byte.
The human layer
Human content moderation on domestic platforms (like Weibo or WeChat) is a separate system with humans in the loop, and it exists because Mandarin makes keyword filtering leaky. The language is dense with homophones, so people swap in characters that sound identical but read differently, avoiding the blacklist that matches exact strings.
An early workaround was calendar math. To discuss the Tiananmen crackdown of June 4, people write "May 35th" (May has 31 days, so the 35th rolls over to June 4) to avoid being blocked. The word "Censorship" itself gets renamed river crab (héxiè), a near-homophone for the Party's word harmony (héxié), so "getting harmonized" becomes slang for being scrubbed.
The only way to keep up with these terms is with human moderation, which alone employs over 100k people in China.
The future of China's internet
As ECH, DoH (DNS over HTTPS), and QUIC push every readable label inside an encrypted envelope, keyword lists and SNI parsing age out, and the firewall pivots to behavioral ML-based classification.
Within a few years the dominant blocking signal in heavily censored networks will be a learned traffic-shape classifier, not a keyword table/list. The way around it will be tools that make your traffic "statistically boring" rather than just encrypted.
Understanding the complexity of China's restricted internet makes me grateful to live in the US, where we have access to a free and open internet.
→ Kyle
Footnotes
- 1.
On any given link the GFW runs reassembly and matching across many parallel processes, hashing each connection to one process so state stays consistent; asymmetric routing that splits a flow across gateways can slip past it entirely (Marczak et al. 2015).