search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.36k stars 753 forks source link

Enable restrict noquery by default for ntpd #7830

Closed doktornotor closed 2 months ago

doktornotor commented 2 months ago

See https://github.com/opnsense/core/issues/7832

fichtner commented 2 months ago

@doktornotor looks good at first glance. let me know when it's ready

doktornotor commented 2 months ago

Well, pretty much ready - sans any migration bits as noted on https://github.com/opnsense/core/issues/7832#issuecomment-2323236749

The "logic" is just really - WTH. 🤐

doktornotor commented 2 months ago

And yes, flipping the default is what's intended purpose of these commits here ("Enable restrict noquery by default"). I suspect pretty much everyone is unaware of the info leak. Also, this is sort of a DDoS amplification feature, as noted e.g. in https://www.ncsc.gov.ie/emailsfrom/Shadowserver/DoS/NTP-Version/

fichtner commented 2 months ago

Merged, thanks!