| 1 | Hybrid Design is an new idea of IRIS which combines all software functions in one unit, instead of having seperate configurations for different units. |
| 2 | |
| 3 | Current Status: Pre-Production Testing |
| 4 | |
| 5 | Advantages: |
| 6 | - More flexible software configuration. |
| 7 | - Only one branch to maintain. |
| 8 | - Better understanding of the different systems in use. |
| 9 | - Using less hardware at an location. |
| 10 | |
| 11 | |
| 12 | Some downsides: |
| 13 | - Implementation is sometimes not so trivial to understand. |
| 14 | |
| 15 | Extra goals: |
| 16 | - No manual configuration on the nodes anymore, all configuration flags in Gformat. |
| 17 | - More robust setup (no full file:/var partions anymore). |
| 18 | - Take better use of available hardware (use buildin standard daemons, instead of the light versions). |
| 19 | |
| 20 | |
| 21 | |
| 22 | |
| 23 | |
| 24 | Implementation details: |
| 25 | - An Node can have services, this desides the role and daemons to run. |
| 26 | - Firewall logic is stored in pf firewall. file:/etc/pf.*.conf |
| 27 | - Routing table 0, reflect the main function of the machine (e.g. how clients uses the machine). |
| 28 | - Routing table 1, is an shadow routing table with an default gateway pointing to the directly connected route. |
| 29 | - file:/tools/check-inet-alive enables or disables services which reflects the current state of the inet connection. |
| 30 | - Useless traffic is blocked/rejected as soon as possible. |
| 31 | |
| 32 | |
| 33 | Current Roles: |
| 34 | - service_proxy_ileiden = Outgoing NAT Router. |
| 35 | - service_proxy_normal = Outgoing HTTP Proxy. |
| 36 | - service_access_point = Accesspoint with Captive Portal. |
| 37 | - service_incoming_rdr = Incoming NAT/RDR Router. |
| 38 | |
| 39 | To-Be-Implemented Roles: |
| 40 | - service_openvpn_server = Incoming OpenVPN Server. |
| 41 | - service_openvpn_client = Outgoing OpenVPN Client. |