Hybrid Design is an new idea of IRIS which combines all software functions in one unit, instead of having seperate configurations for different units.

Current Status: Pre-Production Testing

Advantages:

• More flexible software configuration.
• Only one branch to maintain.
• Better understanding of the different systems in use.
• Using less hardware at an location.

Some downsides:

• Implementation is sometimes not so trivial to understand.

Extra goals:

• No manual configuration on the nodes anymore, all configuration flags in Gformat.
• More robust setup (no full file:/var partions anymore).
• Take better use of available hardware (use buildin standard daemons, instead of the light versions).

Implementation details:

• An Node can have services, this desides the role and daemons to run.
• Firewall logic is stored in pf firewall. file:/etc/pf.*.conf
• Routing table 0, reflect the main function of the machine (e.g. how clients uses the machine).
• Routing table 1, is an shadow routing table with an default gateway pointing to the directly connected route.
• file:/tools/check-inet-alive enables or disables services which reflects the current state of the inet connection.
• Useless traffic is blocked/rejected as soon as possible.

Current Roles:

• service_proxy_ileiden = Outgoing NAT Router.
• service_proxy_normal = Outgoing HTTP Proxy.
• service_access_point = Accesspoint with Captive Portal.
• service_incoming_rdr = Incoming NAT/RDR Router.

To-Be-Implemented Roles:

• service_openvpn_server = Incoming OpenVPN Server.
• service_openvpn_client = Outgoing OpenVPN Client.