servan12

On 7/18/2020 at 5:00 PM, Vanilla said:

Mariadb is a drop-in replacement for MySQL. Backup your database, deinstall mysql and install mariadb instead, it'll do the magic automatically.

I will not make any adjustments from sourcing dbden etc.?

I want to use mariadb instead of mysql 5.6
how can I do it?

49 minutes ago, Shogun said:

If you only want certain IPs to access those ports then either delete this rule:

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

(Or if you still want some of the service_ports to be publicly accessible just delete the ones you want to restrict from the service_ports list)

 

And then add the IP or IPs you want to allow in the trusted_hosts table. Those IPs are trusted so they can access any port regardless of rules.

 

That said, this is not the best way to secure either ssh or mysql, which should be done with SSH keys (and maybe changing the port to avoid the log spam from bruteforce attempts) and in MySQL, by binding the address to localhost and then using the SSH Tunnel option in Navicat instead of connecting directly to the port.

I want to allow a thread for a single port, ; host ip access 3306 port as

6 minutes ago, Shogun said:

As long as you're blocking connections by default (block all or block in all should be your first rule) then you can just do this

 

table <trusted_hosts> const { youriphere,anotherip }

 

Pay attention to my example file to see where it's placed.

 

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

service_ports anyone can enter within a certain limit I just want to be accessed by ip?

what rule can be written to access these ports only by ip?

ports : 22 & 3306

On 2/4/2014 at 7:41 AM, Shogun said:

Update April 2020

 

I have modified the rules to allow ipv6 connections, and added some comments.

 

Hello,
 

As I had just posted the file without any explanation of it, which is not really useful unless you are already familiar with pf, I have added a little tutorial.

This is a sample pf.conf file that you can use as a base to create your own for your Metin2 FreeBSDserver. As you can see it was originally made by Tim and I have used it ever since on my server.
 

If you host your website in a different IP address than your game server, it's a good idea to add it's IP to the trusted_hosts table (you can remove the dummy address that I placed there safely). Any host that you want to have "free access", that is, skip firewall rules, should be added there. IP addresses must be separated by commas.

 

Only the ports that you specify under service_ports and game_ports will be open. service_ports should generally include your SSH port, and 80 if you are running a web server.

 

We also apply packet scrubbing and a limit on the number of connections, both measures helpful against certain types of attacks.
 
Although this configuration allows UDP for ServerCheck to work, it is a good idea to completely block UDP, although you may need to change the login screen if you use a standard login so it doesn't show your channels as offline.
 

# pf config by Shogun on 4th April 2020 # This is a minimalistic configuration with basic rate limiting # Change the value to reflect your public interface. You can see this with ifconfig. ext_if="igb0" # A custom list with ports used for services (ssh, http, https) - we can also name them as per /etc/services # instead of using numbers. The commented out line would do the same as the previous one. service_ports="{ 22, 80, 443 }" #service_ports="{ ssh, http, https }" # Another custom list with ports used by Metin2 (these numbers are just an example, replace with all your # auth and game ports. db does not need to be publicly accessible) game_ports="{ 11002, 13001, 13002, 13003, 13004, 13099 }" # IP addresses that should override the firewall rules, such as your web server. # If you have many IP addresses to whitelist, you can keep them in a text file instead, one IP per line. # Unless you have a static IP, it's not a good idea to place your own IP address here. table <trusted_hosts> const { 83.122.73.44, 8.8.8.8 } # table <trusted_hosts> persist file "/var/db/trusted_hosts" table <abusive_hosts> persist # we drop blocked packets instead of returning them, as that would make us vulnerable to a RST flood # (flooding your own outbound connection responding to blocked packets) set block-policy drop # Set the interface we want to log set loginterface $ext_if # Do not process localhost connections set skip on lo # Sanitize packets scrub on $ext_if reassemble no-df random-id # Drop spoofed packets antispoof for { $ext_if } inet block log in pass in quick from <trusted_hosts> block in quick from <abusive_hosts> # Allow ping in pass in inet proto icmp all icmp-type echoreq # Allow connecting to our service and game ports as defined at the beginning of the file. # IP adresses with excessive connections will be blocked and placed in abusive_hosts table. # We are allowing only TCP connections on service ports, whereas we allow UDP and TCP for Metin2. # UDP is a potential risk for DDoS attacks and Metin2 only uses UDP to verify channel state # in the login screen, so you can safely block it by changing "{tcp,udp}" to just "tcp". # If you want the packets dropped instead of banning the IP, remove the ", overload <abusive_hosts> flush" part. # If you want offender IPs blocked in every port and not just the one they flooded, add "global" after flush # Please note that by itself, this offers very limited protection against all but the most basic and primitive # attacks. Don't expect this script to protect you from crafty attackers. pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) # Same for ipv6 pass in on $ext_if inet6 proto tcp to any port $service_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) pass in on $ext_if inet6 proto {tcp,udp} to any port $game_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) # Let outbound connections through. Keep state means that the connection doesn't need to be # processed again by the firewall every time there is a packet sent back and forth. Note # that UDP does not keep state and is not affected by this setting. pass out all keep state pass out on $ext_if all modulate state

# pf config by Shogun on 4th April 2020
# This is a minimalistic configuration with basic rate limiting

# Change the value to reflect your public interface. You can see this with ifconfig.

ext_if="igb0"

# A custom list with ports used for services (ssh, http, https) - we can also name them as per /etc/services
# instead of using numbers. The commented out line would do the same as the previous one.

service_ports="{ 22, 80, 443 }"
#service_ports="{ ssh, http, https }"

# Another custom list with ports used by Metin2 (these numbers are just an example, replace with all your
# auth and game ports. db does not need to be publicly accessible)

game_ports="{ 11002, 13001, 13002, 13003, 13004, 13099 }"

# IP addresses that should override the firewall rules, such as your web server.
# If you have many IP addresses to whitelist, you can keep them in a text file instead, one IP per line.
# Unless you have a static IP, it's not a good idea to place your own IP address here.

table <trusted_hosts> const { 83.122.73.44, 8.8.8.8 }
# table <trusted_hosts> persist file "/var/db/trusted_hosts"

table <abusive_hosts> persist

# we drop blocked packets instead of returning them, as that would make us vulnerable to a RST flood
# (flooding your own outbound connection responding to blocked packets)
set block-policy drop
# Set the interface we want to log
set loginterface $ext_if
# Do not process localhost connections
set skip on lo
# Sanitize packets
scrub on $ext_if reassemble no-df random-id

# Drop spoofed packets
antispoof for { $ext_if } inet

block log in

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

# Allow ping in
pass in inet proto icmp all icmp-type echoreq

# Allow connecting to our service and game ports as defined at the beginning of the file.
# IP adresses with excessive connections will be blocked and placed in abusive_hosts table.
# We are allowing only TCP connections on service ports, whereas we allow UDP and TCP for Metin2.
# UDP is a potential risk for DDoS attacks and Metin2 only uses UDP to verify channel state
# in the login screen, so you can safely block it by changing "{tcp,udp}" to just "tcp".

# If you want the packets dropped instead of banning the IP, remove the ", overload <abusive_hosts> flush" part.
# If you want offender IPs blocked in every port and not just the one they flooded, add "global" after flush 

# Please note that by itself, this offers very limited protection against all but the most basic and primitive
# attacks. Don't expect this script to protect you from crafty attackers.

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

# Same for ipv6
pass in on $ext_if inet6 proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if inet6 proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

# Let outbound connections through. Keep state means that the connection doesn't need to be
# processed again by the firewall every time there is a packet sent back and forth. Note
# that UDP does not keep state and is not affected by this setting.

pass out all keep state
pass out on $ext_if all modulate state

 

 

topic updated

1 hour ago, Fleon said:

post everything on pastebin

offline_shop.cpp ->  https://pastebin.com/marL89k5

offline_shop.h     ->  https://pastebin.com/M2HF7pZB

char.cpp ->                https://pastebin.com/hGR1VrAH

offlineshop_manager.cpp https://pastebin.com/6URLZg8Z

offlineshop_config.cpp https://pastebin.com/8HwrrxYy

-

topic updated

char.cpp

offlineshop_config.cpp

offlineshop_config.h

offlineshop_manager.cpp

offlineshop_manager.h

offline_shop.cpp

offline_shop.h

4 hours ago, Daenerys said:

open char_item.cpp


namespace NPartyPickupDistribute :Change code block
 

namespace NPartyPickupDistribute
{
    struct FFindOwnership
    {
        LPITEM item;
        LPCHARACTER owner;

        FFindOwnership(LPITEM item) 
            : item(item), owner(NULL)
        {
        }

        void operator () (LPCHARACTER ch)
        {
            if (item->IsOwnership(ch))
                owner = ch;
        }
    };

    struct FCountNearMember
    {
        int        total;
        int        x, y;

        FCountNearMember(LPCHARACTER center )
            : total(0), x(center->GetX()), y(center->GetY())
        {
        }

        void operator () (LPCHARACTER ch)
        {
            if (DISTANCE_APPROX(ch->GetX() - x, ch->GetY() - y) <= PARTY_DEFAULT_RANGE)
                total += 1;
        }
    };

    struct FMoneyDistributor
    {
        int        total;
        LPCHARACTER    c;
        int        x, y;
        int        iMoney;

        FMoneyDistributor(LPCHARACTER center, int iMoney) 
            : total(0), c(center), x(center->GetX()), y(center->GetY()), iMoney(iMoney) 
        {
        }

        void operator ()(LPCHARACTER ch)
        {
            if (ch!=c)
                if (DISTANCE_APPROX(ch->GetX() - x, ch->GetY() - y) <= PARTY_DEFAULT_RANGE)
                {
                    ch->PointChange(POINT_GOLD, iMoney, true);

                    if (iMoney > 1000) // 천원 이상만 기록한다.
                        LogManager::instance().CharLog(ch, iMoney, "GET_GOLD", "");
                }
        }
    };
}

I think you tried to make a change to the item that falls in the name of someone else while in the group.
Using each encoding is only safe.

I'm using 34083 game :S

ch1 down game.core ;

Core was generated by `game'.
Program terminated with signal 11, Segmentation fault.
Loaded symbols for /usr/lib32/libmd.so.4
Loaded symbols for /usr/lib32/libz.so.4
Reading symbols from /usr/lib32/libstdc++.so.6...Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in module /usr/lib32/libstdc++.so.6]
Loaded symbols for /usr/lib32/libm.so.5
Loaded symbols for /usr/lib32/libgcc_s.so.1
Loaded symbols for /usr/lib32/libthr.so.3
Loaded symbols for /usr/lib32/libc.so.7
Loaded symbols for /libexec/ld-elf32.so.1
#0  0x080a95ef in CParty::ForEachOnlineMember<NPartyPickupDistribute::FFindOwnership> ()
[New Thread 290030b429003d00 (LWP 100136/<unknown>)]
[New Thread 287735e429003a80 (LWP 100132/<unknown>)]
[New Thread 29003d3429003800 (LWP 100131/<unknown>)]
[New Thread 29003ab429003080 (LWP 100120/<unknown>)]
Cannot find new threads: generic error
(gdb) Quit
(gdb) set gnutarget amd64-marcel-freebsd
(gdb) file game
"/usr/game/channel1/game": could not open as an executable file: Invalid bfd target
(gdb) core game.core
/usr/game/channel1/game.core: No error: 0.
(gdb) set gnutarget i386-marcel-freebsd
(gdb) file game
Reading symbols from game...(no debugging symbols found)...done.
/usr/src/gnu/usr.bin/gdb/libgdb/fbsd-threads.c:484: internal-error: void fbsd_thread_new_objfile(struct objfile *): Assertion `proc_handle.pid == 0' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) y^[[6

/usr/src/gnu/usr.bin/gdb/libgdb/fbsd-threads.c:484: internal-error: void fbsd_thread_new_objfile(struct objfile *): Assertion `proc_handle.pid == 0' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n)
Please answer y or n.
Segmentation fault (core dumped)
root@vogue:/usr/game/channel1 # quit
quit: Command not found.
root@vogue:/usr/game/channel1 # gdb
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".
(gdb) set gnutarget i386-marcel-freebsd
(gdb) file game
Reading symbols from game...(no debugging symbols found)...done.
(gdb) core game.core
Core was generated by `game'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib32/libmd.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libmd.so.4
Reading symbols from /usr/lib32/libz.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libz.so.4
Reading symbols from /usr/lib32/libstdc++.so.6...Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in module /usr/lib32/libstdc++.so.6]
Reading symbols from /usr/lib32/libm.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libm.so.5
Reading symbols from /usr/lib32/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libgcc_s.so.1
Reading symbols from /usr/lib32/libthr.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libthr.so.3
Reading symbols from /usr/lib32/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /usr/lib32/libc.so.7
Reading symbols from /libexec/ld-elf32.so.1...(no debugging symbols found)...done.
Loaded symbols for /libexec/ld-elf32.so.1
#0  0x080a95ef in CParty::ForEachOnlineMember<NPartyPickupDistribute::FFindOwnership> ()
[New Thread 290030b429003d00 (LWP 100136/<unknown>)]
[New Thread 287735e429003a80 (LWP 100132/<unknown>)]
[New Thread 29003d3429003800 (LWP 100131/<unknown>)]
[New Thread 29003ab429003080 (LWP 100120/<unknown>)]
Cannot find new threads: generic error
(gdb) bt full
#0  0x080a95ef in CParty::ForEachOnlineMember<NPartyPickupDistribute::FFindOwnership> ()
No symbol table info available.
#1  0x08099159 in CHARACTER::PickupItem ()
No symbol table info available.
#2  0x08144f5c in CInputMain::Analyze ()
No symbol table info available.
#3  0x0812f20b in CInputProcessor::Process ()
No symbol table info available.
#4  0x080f9413 in DESC::ProcessInput ()
No symbol table info available.
#5  0x0823243b in io_loop ()
No symbol table info available.
#6  0x08232ffe in idle ()
No symbol table info available.
#7  0x08234706 in main ()
No symbol table info available.

#0  0x080a95ef in CParty::ForEachOnlineMember<NPartyPickupDistribute::FFindOwner                                                                                        ship> ()
No symbol table info available.
#1  0x08099159 in CHARACTER::PickupItem ()
No symbol table info available.
#2  0x08144f5c in CInputMain::Analyze ()
No symbol table info available.
#3  0x0812f20b in CInputProcessor::Process ()
No symbol table info available.
#4  0x080f9413 in DESC::ProcessInput ()
No symbol table info available.
#5  0x0823243b in io_loop ()
No symbol table info available.
#6  0x08232ffe in idle ()
No symbol table info available.
#7  0x08234706 in main ()
No symbol table info available.

#0  0x080a95ef in CParty::ForEachOnlineMember<NPartyPickupDistribute::FFindOwner                                                                                        ship> ()
No symbol table info available.
#1  0x08099159 in CHARACTER::PickupItem ()
No symbol table info available.
#2  0x08144f5c in CInputMain::Analyze ()
No symbol table info available.
#3  0x0812f20b in CInputProcessor::Process ()
No symbol table info available.
#4  0x080f9413 in DESC::ProcessInput ()
No symbol table info available.
#5  0x0823243b in io_loop ()
No symbol table info available.
#6  0x08232ffe in idle ()
No symbol table info available.
#7  0x08234706 in main ()
No symbol table info available.

SYSERR: Oct 23 23:44:09 :: ChildLoop: AsyncSQL: query failed: Out of range value for column '5' at row 1 (query: INSERT INTO quest_reward_log VALUES('antiexp',3088,35,2,4293189248,0,NOW()) errno: 1264)

SYSERR: Oct 23 23:45:19 :: EquipTo: EquipTo: item already exist (this: #70003 Liderin Kitabı cell: 8 Hırsız Eldiveni)

SYSERR: Oct 23 23:42:16 :: ChildLoop: AsyncSQL: query failed: Incorrect string value: '\xDDSTEN\xDD...' for column '4' at row 1 (query: INSERT INTO shout_log VALUES(NOW(), 1, 3,'BeceriKitabi : [Jinno]|cFF0080FF|H|hİSTENİLEN BK VERLİR BEDENSEL BK ALINIR  PM ') errno: 1366)

SYSERR: Oct 23 23:40:00 :: Process: UNKNOWN HEADER: 45, LAST HEADER: 0(0), REMAIN BYTES: 61, fd: 18

SYSERR: Oct 23 23:38:48 :: Analyze: Handshake phase does not handle packet 6 (fd 25)
SYSERR: Oct 23 23:38:54 :: Analyze: login phase does not handle this packet! header 3

SYSERR: Oct 23 23:36:30 :: Process: UNKNOWN HEADER: 37, LAST HEADER: 0(0), REMAIN BYTES: 124, fd: 38

SYSERR: Oct 23 23:32:48 :: Process: UNKNOWN HEADER: 135, LAST HEADER: 0(0), REMAIN BYTES: 176, fd: 31

Current topics

ch3 syserr :

SYSERR: Oct 20 05:43:43 :: Process: UNKNOWN HEADER: 100, LAST HEADER: 5(1), REMAIN BYTES: 1009, fd: 20

game introduction says when input operation is done after this coming server is not open yet

SYSERR: Oct 15 04:23:08 :: ChildLoop: AsyncSQL: query failed: Data too long for column 'hint' at row 1 (query: INSERT DELAYED INTO log (type, time, who, x, y, what, how, hint, ip) VALUES('CHARACTER', NOW(), 2889, 968161, 277292, 0, 'LOGIN', '192.168.1.102 916271162 1 41 5685', '192.168.1.102') errno: 1406)
SYSERR: Oct 15 04:23:08 :: ChildLoop: AsyncSQL: query failed: Incorrect integer value: 'Y' for column 'is_gm' at row 1 (query: INSERT INTO loginlog2(type, is_gm, login_time, channel, account_id, pid, ip, client_version) VALUES('INVALID', 'Y', NOW(), 1, 1, 2889, inet_aton('192.168.1.102'), '') errno: 1366)
SYSERR: Oct 15 04:23:55 :: ChildLoop: AsyncSQL: query failed: Incorrect string value: '\xFCresi' for column 'hint' at row 1 (query: INSERT DELAYED INTO log (type, time, who, x, y, what, how, hint, ip, vnum) VALUES('ITEM', NOW(), 2889, 967962, 276338, 10000744, 'BUY', 'Kutsama Küresi', '192.168.1.102', 70024) errno: 1366)
SYSERR: Oct 15 04:23:55 :: ChildLoop: AsyncSQL: query failed: Incorrect string value: '\xFCresi' for column 'hint' at row 1 (query: INSERT DELAYED INTO log (type, time, who, x, y, what, how, hint, ip, vnum) VALUES('ITEM', NOW(), 2889, 967962, 276338, 10000745, 'BUY', 'Kutsama Küresi', '192.168.1.102', 70024) errno: 1366)
SYSERR: Oct 15 04:23:55 :: ChildLoop: AsyncSQL: query failed: Incorrect string value: '\xFCresi' for column 'hint' at row 1 (query: INSERT DELAYED INTO log (type, time, who, x, y, what, how, hint, ip, vnum) VALUES('ITEM', NOW(), 2889, 967962, 276338, 10000746, 'BUY', 'Kutsama Küresi', '192.168.1.102', 70024) errno: 1366)
SYSERR: Oct 15 04:26:25 :: ChildLoop: AsyncSQL: query failed: Data too long for column 'hint' at row 1 (query: INSERT DELAYED INTO log (type, time, who, x, y, what, how, hint, ip) VALUES('CHARACTER', NOW(), 2889, 967962, 276338, 0, 'LOGOUT', '192.168.1.102 915971361 1 41 5700', '192.168.1.102') errno: 1406)

3 hours ago, KizioRCK said:

UP

This is a backdoor

correct diff

003F07BD: 74 90
003F07BE: 0C 90

CHECKPOINT shutdown: tics did not updated.

bug 34083

Is there could have advanced dif patch?

update_?

Try to run sequence patcher and apply to your client & server. Honestly, i was look for this errror message in 40k sf source and i cant find it.

sequence was

 

Because it's in the libthecore folder

 

/usr/src/mainline/Srcs/Server/libthecore/src/signal.c

 

RETSIGTYPE checkpointing(int sig)
{
    if (!tics)
    {
	sys_err("CHECKPOINT shutdown: tics did not updated.");
	abort();
    }
    else
	tics = 0;
}

I think it's not the gamefile's problem.

 

where is problem?

update?

update

Update

Does anyone have information?