The great (fire)wall: how China's internet worksThe great (fire)wall: how China's internet works<br>July 3, 2026 · 9 min read<br>By Kyle Jeong<br>A few weeks ago, I traveled through China, a country famous for two great walls: the 13k+ mile stone one you can walk on,
me on the great wall
And the Great Firewall (GFW), a machine.
This post covers how their country-wide firewall works.
TLDR; A mirror of every packet gets scanned against a blocklist in milliseconds, and if you hit one, a forged reply is fired back to kill the connection before the real server's answer can arrive. The whole system is a bet that a spoofed packet, sent from closer, beats the truth.
The shape of China's internet
China adopted the internet (reluctantly) around the same time that the rest of the world did in 1994. The CCP initially pushed back and believed the internet would do more harm than good, and tried to stop citizens from accessing it. Running a propaganda machine is hard enough, imagine introducing the internet: a place where anyone could publish information and anyone with access could consume it.
Today, nearly all traffic between China and the outside world crosses through a small number of international gateways run by three state carriers (China Telecom, China Unicom, China Mobile), landing at roughly ten backbone access points tied to submarine-cable stations.
The system grew out of the Golden Shield Project, spun up in 1998 under chief architect Fang Binxing, the "father of the Great Firewall."
In-path vs on-path
A firewall is a filter between two networks deciding which packets live and which die. There are two ways to wire one, and the difference controls everything downstream.
In-path (inline) means the box (a dedicated firewall or DPI appliance, or filtering built into the border router itself) physically sits in the traffic path. Every packet routes through it, so it can drop, delay, or rewrite anything. This is total control, but at scale it becomes a bottleneck and SPOF, and sizing an inline box for a country's entire border bandwidth is as expensive as you can imagine.
On-path means the box sits off to the side and gets a copy of the traffic via a tap. It observes everything but cannot stop a packet already in flight. Its only weapon is to inject forged packets and hope they arrive first. The GFW is on-path, sometimes called "inline passive," and that constraint is why it must win a physical race rather than simply drop your data (Censored Planet, Marczak et al. 2015).
Since injected packets and the real packets coexist, you can observe both.
drag the server-distance slider: the closer the real server, the more often its response beats the injected reset
The hardware: tap, detect, inject
There are three physical stages, and they run as separate systems.
1. Tap: The router copies the packet.
The gateway router copies every passing packet at line rate, either through an optical splitter (a prism on the fiber that duplicates the light) or a SPAN port (switched port analyzer, a router feature that mirrors traffic to another port).
The copy is made at the router's ASIC / NP layer (application-specific chip and network processor that forward packets in hardware, not the CPU), so the original packet keeps moving with zero added latency (hardware DPI overview).
2. Detect : They inspect the info in the packet.
The mirrored copies fan out to a cluster of DPI boxes (deep packet inspection), sourced largely from Huawei and ZTE. One link carries more traffic than any single box can handle, so the cluster load-balances. Every packet in a given TCP connection is hashed to the same process, so that process can hold the connection's state.
These detectors reassemble IP fragments and TCP segments, track the handshake, and (since late 2008) just inspect the first HTTP GET or the TLS handshake rather than every individual packet. Unfortunately, hashing to process is also a weakness. If the outbound and return paths of a connection traverse different gateways (asymmetric routing), no single process sees the whole flow, and the firewall can miss it.1
3. Inject : Send a fake packet to race the "bad" packet to the requester.
When a detector matches a rule, it signals a separate injector that spoofs packets straight back onto the link: a forged DNS answer, or a forged TCP reset. Sensing and injection are different planes, which is why the firewall can be both omniscient and unable to actually block an in-flight packet.
What happens to the packet
These are the 3 mechanisms, in order of how early they fire.
DNS poisoning
Before your phone reaches Google it asks a resolver "what IP is google.com?" over DNS, with a single UDP packet. The injector sees the query and fires back a forged A-record pointing at a bogus IP pulled from a fixed rotation pool (researchers catalogued 592 addresses cycled deterministically).
Because the injector is physically closer than the real resolver, its answer usually wins, and your resolver...