From 9e7fe29e416736bf2be5aeaf7adbad05d4e175cf Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 3 Feb 2014 23:41:35 +0100
Subject: [PATCH] ntpd: Don't answer status queries

Workaround for CVE-2013-5211:

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
---
 nixos/modules/services/networking/ntpd.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix
index e5e164021d3a..cdab789cd289 100644
--- a/nixos/modules/services/networking/ntpd.nix
+++ b/nixos/modules/services/networking/ntpd.nix
@@ -15,6 +15,9 @@ let
     # chroot to ${stateDir}, we have to specify it as /ntp.drift.
     driftfile /ntp.drift
 
+    restrict default kod nomodify notrap nopeer noquery
+    restrict -6 default kod nomodify notrap nopeer noquery
+
     ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)}
   '';