readme: fix typos

This commit is contained in:
Val Saven 2021-03-10 14:44:00 +03:00
parent 72a99cf678
commit 42f77eed50
No known key found for this signature in database
GPG Key ID: 186F56C612D51F69
2 changed files with 18 additions and 18 deletions

View File

@ -53,7 +53,7 @@ You need to run them with the necessary parameters and redirect certain traffic
To redirect a TCP connection to a transparent proxy, the following commands are used:
forwarded fraffic :
forwarded traffic :
iptables -t nat -I PREROUTING -i <internal_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988
outgoing traffic :
iptables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988
@ -172,12 +172,12 @@ add tcp option "MD5 signature". All of them have their own disadvantages :
* md5sig does not work on all servers
* badsum doesn't work if your device is behind NAT which does not pass invalid packets.
Linux NAT by default does not pass them without special setting "sysctl -w net.netfilter.nf_conntrack_checksum=0"
Openwrt sets it from the box, other routers in most cases dont, and its not always possible to change it.
If nfqws is on the router, its not neccessary to switch of "net.netfilter.nf_conntrack_checksum".
Openwrt sets it from the box, other routers in most cases don't, and its not always possible to change it.
If nfqws is on the router, its not necessary to switch of "net.netfilter.nf_conntrack_checksum".
Fake packet doesn't go through FORWARD chain, it goes through OUTPUT. But if your router is behind another NAT, for example ISP NAT,
and that NAT does not pass invalid packets, you cant do anything.
* badseq packets will be dropped by server, but DPI also can ignore them
* TTL looks like the best option, but it requires special tuning for earch ISP. If DPI is further than local ISP websites
* TTL looks like the best option, but it requires special tuning for each ISP. If DPI is further than local ISP websites
you can cut access to them. Manual IP exclude list is required. Its possible to use md5sig with ttl.
This way you cant hurt anything, but good chances it will help to open local ISP websites.
If automatic solution cannot be found then use zapret-hosts-user-exclude.txt.
@ -223,7 +223,7 @@ doing something about it is hardly possible without the help of the server.
The best solution is to enable TLS 1.3 support on the server. TLS 1.3 sends the server certificate in encrypted form.
This is recommendation to all admins of blocked sites. Enable TLS 1.3. You will give more opportunities to overcome DPI.
Hosts are extracted from plain http request Host: header and SNI of ClientHelllo TLS message.
Hosts are extracted from plain http request Host: header and SNI of ClientHello TLS message.
Subdomains are applied automatically. gzip lists are supported.
iptables for performing the attack on the first packet :

View File

@ -836,7 +836,7 @@ tpws к http и nfqws к https. При этом поддерживаются у
enable auto start : systemctl enable zapret
disable auto start : systemctl disable zapret
start : sytemctl start zapret
start : systemctl start zapret
stop : systemctl stop zapret
status, output messages : systemctl status zapret
timer info : systemctl list-timer
@ -972,7 +972,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
ЭКОНОМИЯ МЕСТА :
gzip от busybox в разы медленней полноценного варианта. gzip используется скриптами получения листов.
sort от busybox медленней полноценного варианта и жрет намного болше памяти. sort используется скриптами получения листов.
sort от busybox медленней полноценного варианта и жрет намного больше памяти. sort используется скриптами получения листов.
grep от busybox катастрофически медленный с опцией -f. она применяется в get_reestr_combined.sh. если вы не собираетесь
пользоваться этим скриптом, gnu grep можно не устанавливать
iptables-mod-nfqueue можно выкинуть, если не будем пользоваться nfqws