Please help How I do block ISP send me TCPflag rst connection reset

yon · Nov 6, 2012, 6:57 PM

I live in an country, just now ISP block a lot of country internet to visit. like I can't visit any *.wordpress.com blog.

I have use ipv6 for visit its and try use VPN, but any ways all can't visit other country sites. should ISP network send me connection reset .

I can tracert to site and ping to its. but I can not visit other country sites. if I input some keywords in www.google.com serch, then www.google.com will be connection reset and can't visit.

and I can't visit www.youtube.com, just only now I try use https://www.youtube.com ipv6 network can open it.

Can you use PF v2.1 block ISP for this? who have good ways fix it? ???

bkraptor · Nov 7, 2012, 4:00 PM

You could try to capture the traffic, identify the type of reset that is being sent - I suspect TCP with RST flag, but some others, then apply an inbound rule that drops such traffic. The disatvantage in doing this is that any other legitmate RST segments would also be ignored, resulting in TCP sessions having to timeout instead of being successfully ended.

yon · Nov 7, 2012, 9:19 PM

I think ISP find IP data has blocklist keywords , ISP will auto block data transfer.

I think there are two ways to solve,A way to encrypt all data, including the head of IP data packets.So that the ISP can not know the destination address.

The other is to ignore blocking ISP to send information.

I do not know exactly how to implement.

cmb · Nov 7, 2012, 9:46 PM

The RST isn't what's blocking the connection, that's just the "Great Firewall" being kind and letting the client know it killed its connection so it doesn't hang. A VPN tunnel out to a different country that doesn't do such blocking is the only way around that.

yon · Nov 7, 2012, 10:37 PM

@cmb:

The RST isn't what's blocking the connection, that's just the "Great Firewall" being kind and letting the client know it killed its connection so it doesn't hang. A VPN tunnel out to a different country that doesn't do such blocking is the only way around that.

now I have try use VPN , but new version "Great Firewall" still can block visit. The new version is about to start a week. when I visit sites, show connect reset. and I try use opera turbo, these ways can't To solve this problem.

Fortunately, I can access this pf site. but the pf site can't show any block keywords,Otherwise it will be blocked.Therefore, I am very worried.

yon · Nov 7, 2012, 10:47 PM

@cmb:

The RST isn't what's blocking the connection, that's just the "Great Firewall" being kind and letting the client know it killed its connection so it doesn't hang. A VPN tunnel out to a different country that doesn't do such blocking is the only way around that.

if use your these words input in googel.com,then google.com will be blocked now. I have try. ;)

yon · Nov 7, 2012, 10:52 PM

I think new version GRW find IP head informations has any blocked keywords,then internet connect will blocked or reset. before version is block ip, then I can use ipv6 network or use VPN bypass. but now all these ways Has failed.

cmb · Nov 8, 2012, 6:33 AM

If you're truly tunneling all your traffic out via a VPN to a country that doesn't employ such filtering, it's impossible for your country to accomplish any kind of content filtering or inspection on your traffic.

yon · Nov 8, 2012, 6:51 AM

@cmb:

If you're truly tunneling all your traffic out via a VPN to a country that doesn't employ such filtering, it's impossible for your country to accomplish any kind of content filtering or inspection on your traffic.

I discuss with other people really some ways VPN failure.

raclure · Nov 8, 2012, 1:13 PM

As mentioned in a previous post, the best way around this is by using VPN. The VPN server has to be located in another country. Be sure to redirect all the traffic through the VPN (like the DNS etc.).

But they could detect that you're using VPN and they could reset/cut the connexion.

stephenw10 · Nov 8, 2012, 2:23 PM

As long as they are allowing out any traffic there will be ways to tunnel through. Clearly that is getting more difficult though.

Steve

yon · Nov 15, 2012, 4:50 PM

this is visit xijie.wordpress.com, use Wireshark tool get this:

yon · Nov 15, 2012, 4:48 PM

..

yon · Nov 15, 2012, 4:49 PM

..

cmb · Nov 16, 2012, 2:06 AM

Yes, they're RSTing your connection. But again, that's not what blocks it, that's just the great firewall being nice and letting the client know they've killed their connection. The RST gets through PF because it's a legit part of an established connection. Short of hacking the kernel source and breaking normal functionality required for a properly functioning network, you can't do anything about it. Besides, blocking it would accomplish nothing but leave your client hanging, not realizing the connection is dead. The connection won't magically start working because you're ignoring the RST.

yon · Nov 16, 2012, 2:45 AM

I want to find a solution. the great firewall not block ip for some sites, it is should find block keyword domain address. like wordpress.com.

Because I have use DNS64/NAT64 system point Virtual IPv6 address or use other country proxy server,and use PPTP VPN still be reset connect. just use ip address still open destination web server.

So I think maybe has an Method hide destination domain address.

yon · Jan 2, 2013, 6:59 PM

find some news about this. I hope PF Increased encryption capabilities within the network.

https://www.schneier.com/blog/archives/2012/12/china_now_block.html