tunkz tutorial

Computer networks devided into two types :
    Voice networks : based on circuit swithcing. Communication
                    is always made by             the same path. Example: Public Switched
                    Telephone Network (PSTN).
    Data Netwoks : based on packet swithcing. information data is devided into                 packets,     and the packets can travel accros different route/path. Example :         internet.

Main problem about circuit swithcing is it need a lot of bandwidth for each communication. Why ?? because same channel is used when during a call (communication) and most of the phone calls have a lot of silence moments.
Data networks only transmit information when it is necessary, so it using bandwidth more efficiently. Delay and loss packets should not be a disadvantage, due the system has a capability to recover the information. However, voice and video streaming are  sensitive with those parameters (Delay and loss). So,  networks  and protocols with high degree of QoS are required.

Voice over IP (VoIP) defines the necessary  routing systems and protocols for transmit voice conversations over Internet. Internet is a packet swithcing networks based on TCP/IP protocols.

So, what is SIP and H.323??? VoIP has two architecture for the voice transmission :
    SIP (Session Initiation Protocols) : SIP is a signalling protocol to establish and             conferences in IP networks. Beginning of the sessions, change or term of the             sessions, is independent of the type of application
                    that it is being used in the         call.     (a sessions including several data types : voice, video, or many other             formats.)
    H.323 : standard of communications
                    multimedia, that facilitated the                         convergence  of voice, video
                    and data. nitially it was thought for packet circuit         networks.

SIP
        SIP is used for initiating, modifying, and terminating user sessions that involves multimedia communication elements, ex : voice, video , instant messaging, etc.  Main objective of SIP is the communicating between multimedia devices.  SIP using two main protocols, RTP and SDP (you can read the RFC or manual about RTP and SDP). RTP is used to transport  voice data in real time; SDP is used to negotiate the participant capabilities,
                  codification type, etc. SIP is end-to-end oriented protocols. it means that  all the logic is stored  in end devices. State is also  stored in end-device only.  SIP is an application-layer protocols, a signalling protocol for internet-telephony.
    SIP has ability to establish and end multimedia sessions (ex : location, availability, resource use, etc). In order to implement these functions, SIP has different components. main components are User Agent (UA) and SIP servers.

1. User Agent (UA): User Agent has two different parts,  User Agent Client (UAC) and User Agent Server (UAS).  UAC is used for sending SIP request and receive the answers for those request. UAS used to send answer to the SIP request.  Both entities are in every user agent, to allow the communication
                       between different user agents in a client-server communication.
2. SIP servers,  devided into 3 types :

• Proxy servers : This server has a similar functionality
                      to an HTTP Proxy. Proxy servers devided into 2 types, statefull proxy and stateless proxy. Statefull proxy keep the state of the transaction during
                      the request processing. Stateless proxy do not keep the state of the transaction during the  requests processing, They only resend messages.
• Registrar Servers : a server which accepts register request from the users and keep the information about this request t provides a location and address translation
                    service.
• Redirect Servers : server which generates
                    redirection answers to the received requests. This server routes
                    again the requests to the next server.

All of thoose parts are conceptual, can be placed in the same machine, or may be in different machine

    One of the SIP server function is user location and name resolution. Normally, user agents doesnt know the IP address of the called persons. SIP entities identify a user by SIP URI (Uniform Resource Identification)see RFC 2396. SIP URI has a format similiar with email address  consists of a user and a domain delimited by
                    one @.  examples :   
   
                  user@domain
    user@machine
                    user@ip_address
                    telephone_number@gateway

and, how about H.323????……….. next article. i promise it!!! ^_^

    FreeBSD platform is a great platform for firewalls. As far as i know, FreeBSD has 3 firewall apllication for building a great firewall : IPFW, PF and IPF. hmmmm, i only will explain the IPFW and PF firewall. IPF and PF is almost same.

• IPFW :  FreeBSD’s primary firewall is called IPFW (Internet Protocol Firewall). IPFW is
  composed of two parts: a kernel-level packet filter engine and a userland
  utility for controlling firewall functionality. IPFW has been part of FreeBSD
  since FreeBSD 2.0. IPFW went through a major
  overhaul as part of FreeBSD 5 development. This "new" IPFW became known as
  IPFW2. However, for the sake of sanity, we will refer to IPFW2 simply as IPFW.

• PF : OpenBSD utilizes a firewall mechanism called PF (packet filter). Like FreeBSD’s
  IPFW, PF is made up of a kernel-level packet filter and a userland utility for
  control of the firewall functionality. Unlike FreeBSD, PF is exposed via a
  device node, /dev/pf. PF is a newcomer to the OpenBSD world. Before using PF, OpenBSD utilized a
  firewall called IPFilter. I dont know why IPFilter removed from OpenBSD. maybe a licensce trouble. The end result was that
  IPFilter was removed from OpenBSD.
  PF was created to fill the void left by IPFilter. PF has been designed from day
  one to integrate cleanly into OpenBSD, and as such, is very usable and flexible.

The Differences
    There are big differences between IPFW and PF. If you had ever using both IPFW and PF, you will find the differences. IPFW is list-based while PF is much more object oriented. PF configuration is broken into many parts, but IPFW generally a shell scripts with rules processed in order. but, both firewall supports statefull and stateless processing of connection.
    In IPFW, the first rule in a ruleset that matches a packet "wins." That means,
if a ruleset has a rule to allow traffic to port 80 before a rule that denies
all traffic, the packet destined to port 80 will be allowed. In PF, the exact
opposite is true; the last rule that matches "wins." In the same example, the
packet to port 80 would be denied by the firewall.  If you really need to have a packet match a rule and then be
processed in PF, you can use the quick keyword to force the issue. (you can read my blog about PF)
    In IPFW, denied packets are logged through the syslog facility. In PF, denied
packets are logged to a special interface called pflog0. This interface
is actually a BPF (Berkeley Packet Filter) interface that allows utilities like
tcpdump to sniff logged packets directly. This feature can be used
by IDS engines and monitoring tools to analyze the firewall’s activity without
having to interact or affect the firewall processing.
    PF implements Network Address Translation (NAT) and Quality of Service (QoS)
directly into the firewall. In IPFW, these features are provided by other
programs. In general, there is no
functional difference. The integration in PF makes administration a bit easier
as all configuration is done in one file.
    PF performs more aggressive optimization than IPFW. In PF, large
lists of rules are compressed into a table (of course you must read the PF manual first). So while the configuration file for
PF may still have list-like properties, the core processing engine of PF treats
the rules more efficient. This ultimately results in a tree
data-structure for the rules making even huge rulesets rapidly searchable.
    PF also has the capability to reassembly and normalizing fragmented packets before sending them through the firewall. This prevents
fragmentation attacks behind the firewall. This is a great feature of PF, as
it prevents other applications on the firewall (like an IDS sensor) from
having to deal with fragments.
    Seems that PF is a weapon weapon for building a
firewall. If you need the flexibility and scalability, use PF. However, for smaller-scale deployments, such as a
small or home office, IFPW’s simple interface and simple  administration
may be your choice.
    Back to you again, just choose PF or IPFW as your firewall in a FreeBSD machine or in your networks.    
    And how about IPTABLES??? hmmmmmmmmm, long time not using iptables as firewall. look likes i must read the iptables manual again….. ^_^

hihihihihihi……. back again with me,…….. :D :D :D. i’ve got experience again. i have 4 DVD iso images ubuntu packets.. hmmmm, i wanna build an ubuntu mirror. but, the problem, how i can mount it in freeBSD???? freeBSD again :D :D :D

hehehhehe…….. it’s so simple… very simple, using my freeBSD 6.1. just 2 line command. but, how??????

hehehe, here there are :
  # mdconfig -a -t vnode -f ubuntu-1.iso -u 0
  # mount -t cd9660 /dev/md0 /mnt/ubuntu-packets/

so simple huh?????

after we mount it, how to unmount it??? againn… just 2 command……
  # umount /mnt/ubuntu-packets
  # mdconfig -d -u 0

it’s so simple……. hope this can help you too ^_^

happy ‘ngoprek’ ^_^

hohohoho…………………….. i finally found how to solve error in GD + php.Useally, when we try to install php + gd enabled, we will get some error, not error when we complie php or gd, but error in your web. like your image won’t display properly in your web.. why i wrote this article, because i’ve got experience. when i migrate my system from linux to freebsd, because the HD error T_T, i install php with gd. i think, it will same from the old system. but, when i finished installing php+ gd, iv got the problem. jpeg or jpg image wont display properly. my expericence is, when i try to upload a jpeg or jpg image, i ve got some error, altough the web is normal, work properly. jpeg or jpg image thumbnail view  wont displayed. damn!!!!!!! i’ve install gd from the freebsd ports and compile php from source manually. hooooooooooo, then my partner check the php info. shit!!!! jpeg not enabled in php……waaaaaaaaaaaaaaaa.. what happen????

my friend told me, gd in freebsd still got some error. beuuuuuu….. ive try many times with different options in php, but still got same problem, jpeg/jpg image wont display properly. T_T…………. i finally realize i must install libpng + libjpeg manually, not from the bsd ports….. ckckcckkcckckk, just waste my time (almost 2 monhts, ive got this problem T_T). hmmmm. i must solve it!!!!! then, i remember, my students mirror still up ^_^. i try to install libjpeg and libpng manualy and gd from ports. first still error, those packets got error when i compile it. and the second. hoohohoho it works (my friend said that)….. almost 8 hours with my daemon ^_^ just to enabling GD in php in freebsd. but how i solve it??????

hmmmm……………… frist you should fetch it manually thoose packets (i install thoose packets in freebsd fresh install ^_^).
libxml2-2.6.22.tar.gz
zlib-1.2.3.tar.gz
libpng-1.2.9.tar.gz
jpegsrc.v6b.tar.gz

after you fetched it follow this steps :
1. you should install mysql first, if you plan your web using databases
    cd /usr/ports/databases/mysql-server/
    make WITH_LINUXTHREADS=yes install clean (and so on….. i wont explain in         here)
2.install httpd. im using httpd-2.x.x…….. just up to you (using httpd-2.x.x                 versions). i think you know how to install httpd apache server from source. i’ve         explained it before
3. install your libxml2 first
    tar xzvf libxml2-2.6.22.tar.gz
    cd libxml2-2.6.22
    ./configure
    make
    make install
4. install your zlib.
    tar xzvf zlib-1.2.3.tar.gz
    cd zlib-1.2.3
    ./configure
    make
    make install
    make clean
5. libpng
    tar xzvf libpng-1.2.9.tar.gz
    cd libpng-1.2.9
    cp scripts/makefile.std makefile
    edit your makefile, find "prefix= ……….." (i dont remember it), change it to
    prefix=/usr/local/libpng2
    make
    mkdir /usr/local/libpng2
    make install
    make clean
6. install your jpeg library.
     tar -zxvf jpegsrc.v6b.tar.gz
     cd jpeg-6b
    ./configure –prefix=/usr/local/jpeg6 –enable-shared
     make
     mkdir /usr/local/jpeg6
     mkdir /usr/local/jpeg6/include
     mkdir /usr/local/jpeg6/lib
     mkdir /usr/local/jpeg6/bin
     mkdir /usr/local/jpeg6/man
     mkdir /usr/local/jpeg6/man/man1
     make install-lib
     make install
     make clean   
7.    install GD
    cd /usr/ports/graphics/gd
    make install clean
   
huhhhhh……… finished installing library GD support.. then, finally install your php.
just follow this steps..
    tar xzvf php-5.x.x.tar.gz
    cd php-5.x.x
    ./configure –prefix=/usr/local/httpd/php –with-gd –with-apxs2=/usr/local/httpd/bin/apxs –with-xml –with-mysql –with-zlib –with-jpeg-dir=/usr/local/jpeg6 –with-png-dir=/usr/local/libpng2 –disable-debug –enable-trans-sid –enable-sockets –enable-memory-limit (one line of course, i assume that you install your httpd apache server in /usr/local/httpd, and php in /usr/local/httpd/php)
    make
    make install
    then copy your php.ini in /usr/local/httpd/php/lib/

next step just adding "AddType application/x-httpd-php .php" in your httpd.conf….

just wait and see the difference……….. i check my web, hmmmm looks fine. then i asked my partner (web programer), "did the GD still error????" my partner told me "hoho, thats worksss"………….huaaahhhhhahahaha finally finish it !!!!!!!

hmmmmm……… just share my experience with the daemon ^_^ thanks to allDelta for the team works ^_^. solved one problem, another problem still wait. like Indonesian peole said, "derita tiada akhir" hahahahahhaahha.. just kidding. hope it will help you too…………

thanks

tunk

i’ve got new problem when i try to mount my linux partition in freeBSD. it says :

# mount_ext2fs /dev/ad2s5 /mnt/ad2s5
mount_ext2fs: /dev/ad2s5: Operation not permitted

why i got that errors??? hmmm, back to 1 week ago,  the partition is improperly unmounted, such as a forced reboot or a power cycle.  hahahahahaha………. i remember  that, my server hang, and i must reboot it manually…..hahahaha

then, how to solve it??
first the partition have to be fsck’ed before my server can mount it. but, how we can fsck linux partition in freeBSD system….. freeBSD has a tool for it, e2fsprogs

of course you have to install it, so simple and so easy to install that program (of course, you must be root )

1.#cd /usr/ports/sysutils/e2fsprogs
2.make install clean
3 e2fsprogs /dev/ad2s5 (make sure you’ve ext2fs module already loaded in FreeBSD. just wait, and see the process)
4 now i can mount the ext2 filesystem without error (mount -t ext2fs /dev/ad2s5 /linux)

hahahahah, FreeBSD save my life again………….

hope this can help you too

thanks ^_^

    waks, after the final exam, lot of job  still waiting… yeeeeeeaaaaahhhhhhhhh……..  greatt!!!!!!!!!!  building mail server for students, regonfigure the server, creating rule for the web, reconfigure the firewall,  looks like never got perfect. like i’m bring this server into my style. ups sorry before ^_^ [^_^]v. waw….. i like it ^_^ ^_^… my friend told me "before june, mail server must UP!!!!!!"…..hmmmmmmm first i hear that….. im surprise. i realize, that this job is my responsibility. lot of people, maybe you think that new server with new system still not perfect like before, even more worst. log of bug in here, in there, some service still down, T_T ……….. make me dizzy T_T, but i promise, i will bring the server to be more more better than before. I PROMISE IT!!!!!!!!

    friend, just give me 1 weeks, and i’ll finish it…………………

shit!!!!!!!!! this friday about 3.00-4.00 a.m. i made a big mistakes. heh??? danm!!!!!!!!! from the tittle, i think you will know, why i wrote this blog. not about networking again.

hmmmmmpppfffffffffff, friday 3.00-4.00 am, i reconfigured firewall in the server. (i think you’ve already know the server), configuring, configuring, and done. first, it’s work well…. then, my friend told me, ‘jalan tol down’………. hmmmmmm, ‘down’ simple word and can make me panic. shiiitt!!!!!!! where’s the error????? i trace the rule ……….. one two three…… waks, back to last two-three days ago, i used default block rule to my server. last two-three days ago, the server can be accessed from outside, but, ‘jalan tol’ couldnot connect.. hmmmmmmmmm, then finally i found the error (lot of people help me ). till friday 2.00 am, it worked well, nothing happen with the connection……… just some error with the forum, and IRC.  then, i reconfigured again the firewall… i just wanna back to the normal setting, default block. hmmmmm…… why use default block rule?? i think its more secure than default accept rule. more secure means not 100 % secure……. first, i re-run the firewall, worked well, but ‘jalan tol’ down…………. duengg!!!!!!!!!!!!!!!!!!!!!!

trace, trace, trace, trace!!!!!!!!!!!!!!!!!!!!!..dunno. still confused. trace again……. then i used firewall rules that i configured last. then, and that mistake started…  i wrote  "pfctl -F all", then enter……………………. wakkksss!!!!!!!!!!!!!!!! no one couldnot connect to my server…………panic, really panic…… what i’ve done to my server????!!!!!!!!!!!!!!!!!!!! web,irc down!!!!!!!!!!!!!!!!!!!!!!!!!!! lot of people couldnot connect with the server…………… really panic. what should i do?? i must wait till monday, just for reconfiguring firewall again… big mistake in friday.

i’am a stupid admin……….

moga aja pada ga bosen kalo artikelnya tentang PF lagi. ini sebenernya cuman mo nambahin aja. Tenang aja, gw disini ga akan bahas gimana cara bikin rule firewall, seting parameter PF, ato NAT+RDR de-el-el.
tadi pagi, sekitar jam 3 pagi-an, gw setting PF lagi…….. hmmmmmmmmm tapi lagi lagi error lagi lagi error, padahal sintaks nya udah bener……. duh, gimana ini???? gw liat di settingan pf.conf default bawaan dari *BSD, ga banyak membantu. ternyata dalam PF, ada aturan-aturan yang harus kita patuhi ketika kita bikin firewall. waaaaaaaaaaaa, apa aja itu????

gini aturannya

#1. set variable
#2. options rule
#3. scrub rules
#4. nat,rdr,binat
#5. rules, block pass, antispoof
kalo ga match ma urutan itu, ga bakalan jalan.

ini contohnya (di /etc/pf.conf)
###################aturan 1, set variable#############
if="rl0"
dns="{10.14.203.7,202.154.1.2,202.134.0.155,202.134.2.5}"
ga_penting= "{137,138,139,81}"
#voip="{5060, 4569, 5036, 9999 >< 20001, 2727}"
irc="{6666,6667,6668}"
ob_state = "flags S/SA keep state"
ib_state = "flags S/SA keep state"
################end set variable####################

###############aturan 5, antispoof, block, pass rules########
antispoof for $if
pass quick on lo0 all
pass out quick on $if proto tcp from any to $dns port 53 $ob_state
pass out quick on $if proto udp from any to $dns port 53 keep state
#####dan seterusmnya, silakan baca di artikel sebelumnya#########
############end aturan 5, antispoof, block,pass, rules#########

heheee, tinggal di save, trus jalanin aja pake pfctl -f /etc/pf.conf, and gotcha!!!!!!!!!!!!!!!!!!!!!!!!! jalan :D :D

semoga pengalaman gw bermain main dengan PF bisa berguna bagi temen temen semua. oh iya, rule nya enggak lengkap, udah ada di artikel sebelumnya (males nulisnya lagi). tinggal baca aja di artikel sebelumnya.

hehehe……………. sekian dan tingkyuuu dah baca artikel gw

waks, apaan tuh multicast networks?? pasti dah sering denger dong apa itu unicast, multicast. ga ada salahnya kalo gw ngebahas lagi. apa sih multicast itu???

unicast : one-to-one retransmision, satu sender satu receiver. untuk arsitektur semacam itu, jaringan unicast akan lebih efisien, namun jika sender harus melayani banyak request, maka jaringan unicast sangatlah tidak efisien.

multicast : one-to-many transmision, satu sender multiple receiver. Multicast lebih efisien daripada broadcast. multicast  cocok digunakan untuk mengirimkan data yang sama ke multiple host, seperti streaming. multicast digunakan untuk network discovery seperti MDNS (multicast DNS), OSPF (yang gw tau cuman itu  :( )

Tadi disebutkan di atas, bahwa multicast lebih efisien dibanging dengan broadcast. mengapa itu bisa terjadi ??? Begini : agar dapat secara dinamis mengetahui lokasi dari suatu host, switch akan selalu me-listen frame yang datang (incoming frame) dan menyimpannya ke dalam suatu address tabel. Ketika sebuuah frame di terima oleh switch port, maka switch akan memeriksa source MAC address. Jika MAC address tadi tidak ada di dalam address table, maka MAC address, switch port dan VLAN akan di simpan di dalam address table yang terdapat di switch tadi. Switch akan lebih mudah mempelajari addres location berdasarkan incoming packet.
Dalam incoming frame, juga terdapat destination MAC address. Seperti yang dijelasin di atas, switch akan mengecek address table apakah ditemukan switch port dan VLAN yang cocok untuk address tujuan. Jika ditemukan, maka frame tersebut akan segera di forward ke address tujuan. Jika address tidak ditemukan di dalam address table, maka switch akan memflood incoming frame ke semua port switch yang telah di assign oleh source VLAN. Hal semacam ini dinamakan unkown unicast flooding dimana alamat unicast tujuan tidak diketahui.

Dalam Switch yang tidak support IGMP Snooping, multicast traffic diperlakukan seperti broadcast traffic, di flooding. Jadi, mengapa unknown multicast traffic di flloding berdasarkan aturan forwarding yang terdapat di layer 2?? karena dalam Multicast traffic terdapat :
source : Unicast MAC
destination : multicast MAC
Multicast MAC address tidak akan dapat pernah muncul sebagai sebuah Source, jadi dalam bridge table tidak akan pernah menggabungkan Multicast MAC address dengan port yang pas (spesifik). Sebagai akibatnya, MAC Addrees Multicast akan selalu di flood

sebenernya iseng iseng doang sih nyobain NAT di jaringan STT + bandwidth management di FreeBSD 6.1. Dari pada di leb ga ada kerjaan yang jelas, ya dari situlah dapet ide bikin mini tutorial ini. NAT dan bandwidth management disini menggunakan PF (packet filter). Sebelum menggunakan PF sebaiknya kompile kernel anda terlebih dahulu. Caranya dapet dilihat di tutorial sebelumnya. Lengkap kok :) :P :P

skema jaringan lengkapnya adalah sebagai berikut :

seperti yang terlihat di gambar, terdapat BSD nat Machine yang berfungsi sebagai gateway untuk jaringan 192.168.0.0/24. terdapat 2 buah interface di BSD nat Machine, yaitu rl0 dan xl0. rl0 adalah interface ke jaringan luar, sedang xl0 adalah untuk jaringan private. IP address untuk interface rl0 adalah 10.14.3.7, sedang interface untuk xl0 adalah 192.168.0.1. Nah yang menjadi masalah sekarang, bagaimana cara client di jaringan 192.168.0.0/24 bisa mengakses jaringan internal STT ???? salah satu caranya adalah dengan menggunakan mekanisme NAT (network address translation). Untuk mekanisme NAT, silakan baca dokumen-dokumen di internet.

konfigurasi BSD nat Machine adalah sebagai berikut  :

1. pastikan dahulu ip forwarding telah di set 1. Caranya, buka file /etc/sysctl.conf, kemudian tambahkan baris berikut net.inet.ip.forwarding=1

     2.  setting IP address untuk kedua interface tersebut, caranya bisa pake               ifconfig ato edit file /etc/rc.conf, kemudian tambahkan baris berikut :
                 ifconfig_rl0="inet 10.14.3.7  netmask 255.255.255.0"
             ifconfig_xl0="inet 192.168.0.1 netmask 255.255.255.0"
              defaultrouter="10.14.3.1"
    3.  saat yang paling mengasyikan, yaitu setting nat dengan pf.Ini adalah              konfigurasi nat dan bandwidth managementnya ( file /etc/pf.conf):

ext_if="rl0" #variable external interface
ext_addr="10.14.3.7/32" #IP address untuk ext_if
priv_addr="192.168.0.0/24" #subnet untuk private address

pass out on $ext_if proto {tcp,udp} from any to any port 53 keep state queue dns
pass out on $ext_if proto tcp from any to any port { 80, 443 } keep state queue www
pass out on $ext_if proto tcp from any to any port {6666, 6667, 6668} keep state queue chatting
pass in on $ext_if proto tcp from any to any port 22 keep state queue ssh

penjelasan :
altq on $ext_if priq bandwidth 10Mb queue {dns,ssh,www,chatting,other} ()
queue dns priority 14 priq(red)
queue ssh priority 13 priq(red)
queue www priority 12 priq(red)
queue chatting priority 11 priq(red)
queue other priority 1 priq(default)
#queue test_b priority 10

syntax diatas menjelaskan tentang bandwidth management dengan menggunakan priq. sebenarnya ada beberapa algoritma queue management di FreeBSD, diantaranya CBQ(class-Based Queue), priq(priority), HFSC (Hierarchial Fair Service Curve). disini saya hanya menjelaskan menggunakan algoritma priq(priority queuing). Priority Queuing merupakan algoritma yang  paling sederhana ketimbang CBQ maupun HFSC. Mekanismenya adalah sebagai berikut, kita memiliki alokasi bandwidth sebesar X Mb, dengan bandwidth sebesar X tsb, kita ingin membagi-bagi bandwidth tsb menjadi beberapa alokasi, misalkan untuk koneksi ssh, www, mail, chatting, dll. Nah, cara kerja PRIQ adalah dengan prioritas. Contohnya gini, koneksi ssh lebih penting daripada koneksi www, dan koneksi www lebih penting ketimbang koneksi mail. Intinya disini adalah prioritas koneksi (dapat dilihat di skrip diatas). suatu koneksi dengan prioritas yang lebih besar memiliki prioritas koneksi yang lebih tinggi pula. nilai priority mulai dari 0-14. semakin tinggi nilai priority-nya, semakin tinggi pula kemungkinan alokasi bandwidth untuk koneksi tersebut. Dari syntax firewall diatas dapat dilihat bahwa koneksi DNS memiliki prioritas paling tinggi, sedang koneksi other memiliki prioritas bandwidth paling rendah. Nah setelah kita bikin bandwidth managementnya, tinggal kita panggil aja lewat script dibawah ini:   
pass out on $ext_if proto {tcp,udp} from any to any port 53 keep state queue dns

pass out on $ext_if proto tcp from any to any port { 80, 443 } keep state queue www

pass out on $ext_if proto tcp from any to any port {6666, 6667, 6668} keep state queue chatting

pass in on $ext_if proto tcp from any to any port 22 keep state queue ssh

yang ditulis tebal diatas, digunakan untuk memanggil queue yang telah dibuat.

setelah membuat bandwidth management, maka tinggal kita bikin NAT nya. untuk penjelasan NAT, silakan baca manuual di internet. settingnya gini :

nat on $ext_if proto {tcp, udp, icmp} from $priv_addr to any -> $ext_addr

dari syntax diatas, dapat diartikan bahwa semua koneksi yang lewat interface $ext_if (rl0) yang berasal dari $priv_addr(192.168.0.0/24) yang menuju ke any (bisa ke semua tujuan), akan diubah menjadi 10.14.3.7 . Gampangnya, ketika suatu host A yg memiliki IP address  192.168.0.23 yang mengakses misalkan tele.stttelkom.ac.id, maka, di tele.stttelkom.ac.id akan mengenali host A memiliki IP address 10.14.3.7. begitu prinsip NAT.

Untuk skrip yang dibawahnya, saya rasa anda sudah mengerti maksudnya. nah untuk menjalankan firewall tsb jalankan perintah berikut (jangan lupa, setiap kali menjalankan script baru flush dulu firewall nya):

• pfctl -F all (untuk nge flush firewall)
• pfctl -f /etc/pf.conf

setelah firewall nya jalan, anda dapat melihat settingan yang sedang berjalan, caranya adalah :

• pfctl -s all |more

output dari rule /etc/pf.conf adalah sebagai berikut :
TRANSLATION RULES:
nat on rl0 inet proto tcp from 192.168.0.0/24 to any -> 10.14.3.7
nat on rl0 inet proto udp from 192.168.0.0/24 to any -> 10.14.3.7
nat on rl0 inet proto icmp from 192.168.0.0/24 to any -> 10.14.3.7

STATES:
self tcp 10.14.3.7:22 <- 10.14.5.3:45374       ESTABLISHED:ESTABLISHED
self tcp 192.168.0.3:56849 -> 10.14.3.7:60543 -> 10.14.200.231:6667       ESTABLISHED:ESTABLISHED

sebenernya outputnya banyak banget sihh, tapi saya coba mengambil yang penting penting aja.

mungkin cukup sekian dulu sedikit informasi mengenai PF dan bandwidth dengan PF. thanks to temon yang udah banyak ngajarin saya……….

semoga bermanfaat buat temen temen semua

     trimakasih

cipitunk a.k.a kinan