Open jvoisin opened 2 months ago
hey @jvoisin,
Not sure if this can be configured in the daemon / config file. Do you have any insights?
If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.
Cheers, Franco
Not sure if this can be configured in the daemon / config file. Do you have any insights?
I don't know :/
If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.
Sure, I can disable ntp, but I thought it might be good to change this behaviour, since OPNSense is kinda a security-oriented product :)
It's not disabling it. The client mode exits after setting the time so that it can not be queried.
Changing the default to client mode is a possibility, but changing existing installs is tricky because we don't know who relies on the NTP server running in their network.
Cheers, Franco
I meant "disabling the information leakage", not the ntpd :)
It would be nice if the
ntp
service would refrain from giving its exact version, on what CPU it's running, as all as the operating system and its exact version. I'd rather have guest on my LAN have to do a bit more efforts in order to see if I'm running outdated/exploitable software.