The node doesn’t make a lot of outbound connections (currently), but this could still be tricky. You probably need to whitelist:
- all of the satellite IPs, port 7777
- version.storj.io:443
- collectora.storj.io:9000 (only if you want to allow metrics collection)
- all IPs for github.com, port 443
- DNS requests, however the host is configured
Now, the github one that will be a pain, because that list is probably fairly long and frequently changing. It’s necessary because that’s where the updater gets new versions of the node software from. You might be in a position to control DNS and always hand back a single IP for github.com, so that the node will always use that IP. That would work for a while, but even that will probably fail eventually.
Finally, the node may try to contact other hosts in order to verify the TLS certificates of the above hostnames. This might include x1.c.lencr.org, crl.identrust.com, and others. To get the full list, you’d need to fetch the full certificate chain for all of the above hostnames and whitelist any CRL or OCSP distribution points. I’m not 100% sure whether curl, wget, or golang’s tls library do their own revocation checking or if things will break when those can’t be completed.
That’s all I can think of or find at the moment.
P.S. Please note that we don’t have the resources to support a constantly up to date or comprehensive outgoing access policy. There may be more outgoing connections that need to be added over time- maybe lots more- and we might not update this post when it happens. Your setup might break at any time. I personally can try to keep you updated, but I might miss some change, and we don’t yet have anything automated to check for outgoing connections.