Orka 3.2 Required URL Rules for Filtering
About
Orka Cluster was designed with minimal internet access to increase security, however, users must set up some restricted internet access. This document lists the required URLs that must be enabled to use Orka Cluster. These are rulesets tested on a Cisco virtual Firepower appliance, running the Firepower Threat Defense operating system.
These rulesets permit the minimum amount of traffic required for Orka Cluster functionality.
NOTE
- Orka Cluster customers must manage these URLs to support Orka Cluster functionality.
- This only applies to customers who have security requirements that filter URLs - either from the MacStadium side or through tunneling traffic to another firewall.
- Traffic: Client-Side vs LAN-Side Rulesets.
Overview
The ruleset are divided into two sections:
- Client-Side Traffic
The client-side traffic is any traffic whose destination is the ORKA API controller, the ORKA physical hosts, the ORKA virtual machines, and the single sign-on (SSO).
- URL LAN-Side Traffic
The LAN-side traffic is any traffic originating from the ORKA network that exist behind the firewall.
CAUTION:
The document assumes that the Orka network is on 10.221.188.x.
License Requirements
- Tier, FTDv10 - 4 vCPU cores and 8 GB of vRAM
- URL (Filtering) License
- RA VPN License (PLUS)
- Base License
Rulesets
# Client-Side Ruleset
Source | Destination | Protocol and Port # | Applications | URLs | Descriptions |
---|---|---|---|---|---|
Permit Client | Public DNS server | DNS | DNS Resolution | ||
Permit Client | Public DNS server | DNS over HTTPS | DNS Resolution | ||
Permit Client | HTTP HTTPS | http://idp.macstadium.com sso.macstadium.com | Single sign-on requirement | ||
Permit Client | API Controllers 10.221.188.19 10.221.188.20 | HTTP TCP 6443 | .19 requires TCP/6443 - Ku. LB .20 requires HTTP - ORKA API | ||
Permit Client | 10.221.188.22 | HTTPS | Traefik - a reverse proxy Use case: if customer is using HTTPS to access ORKA | ||
Permit Client | 10.221.188.31 through 10.221.189.254 | TCP 5900-5912 TCP 5999-6011 TCP 8822-8834 | Reserved ports for interacting with created VMs | ||
Permit Client | 10.221.188.0/23 | ICMP SSH | Ask/Requirement for ORKA Support during troubleshooting sessions | ||
Deny Client | ANY | A catch all deny rule if traffic doesn't match the above |
# LAN-Side Ruleset
Source | Destination | Protocol and Port # | Applications | URLs | Descriptions |
---|---|---|---|---|---|
Permit Orka Network | ANY | NTP | Client and Administration requirement for DNS and NTP services | ||
Permit Orka Network | ANY | DNS | Client and Administration requirement for DNS and NTP services | ||
Permit Orka Network | ANY | DNS over HTTPS | Client and Administration requirement for DNS and NTP services | ||
Permit Orka Network | 207.254.1.172 207.254.72.172 208.83.0.22 199.19.85.74 | TCP 2049 | NFS needed for Remote ISO shares. Set per market; where client download ISO files from MacStadium: ATL - 207.254.1.172, LSV - 207.254.72.172, DUB - 208.83.0.22, SJC - 199.19.85.74 | ||
Permit Orka Network | HTTP | mirror.math.princeton.edu | FCOS Linux Internal Packages: for the environment during the provisioning process; where dependencies are pulled - administration purposes; not client usage | ||
Permit Orka Network | HTTPS | hooks.slack.com | Action Runner (typically 10.221.188.10) to update Slack - administration purposes; not needed for client use | ||
Permit Orka Network | HTTPS | us-west2-docker.pkg.dev | Needed for Administrative purpose; in case POD needs to repull image; for client; if they are deploying Intel VMs then this rule is needed. | ||
Permit Orka Network | HTTPS Web Applications SSL Client | production.cloudflare.docker.com | Requirement for Docker certificates | ||
Permit Orka Network | HTTPS | hub.docker.com | Administration rule requirement: Requirement for Docker Container Images | ||
Permit Orka Network | k8s.gcr.io | Administration rule reuirement; Requirement for K8S Container Images | |||
Permit Orka Network | TCP 10259 TCP 2379 TCP 2380 TCP 6443 | registry.k8s.io | Administration traffic; client use not necessary: review rules | ||
Permit Orka Network | HTTPS | pkgs.k8s.io | Administration Stacks requirement | ||
Permit Orka Network | HTTPS | k8s.io | catch-all for the URL | ||
Permit Orka Network | HTTP HTTPS | get.helm.sh | Administration Requirement for K8 Stack | ||
Permit Orka Network | HTTPS | projectcalico.org | Administration Requirement for K8 Stack | ||
Permit Orka Network | HTTPS | updates.cdn-apple.com | Client and Administration requirement - especially based on VMs OS | ||
Permit Orka Network | HTTPS | configuration.apple.com | Client and Administration requirement - especially based on VMs OS | ||
Permit Orka Network | HTTPS | adc.apple.com | Client and Administration requirement - especially based on VMs OS | ||
Permit Orka Network | HTTPS | swscan.apple.com | Client and Administration requirement - especially based on VMs OS | ||
Permit Orka Network | HTTPS | apple.com | Catchall for any other apple site that appeared as blocked during the earlier POC session | ||
Permit Orka Network | HTTPS | formulae.brew.sh | Client and Administration requirement - dependency for MacOs package manager | ||
Permit Orka Network | Amazon Web Services | Administration Requirement for ORKA Stack | |||
Permit Orka Network | HTTPS | mimir.nap.macstadium.com | Administration Requirement for monitoring Stack | ||
Permit Orka Network | HTTPS | grafana.orka.dev | Administration Requirement for monitoring Stack | ||
Permit Orka Network | HTTPS | dns-challenge-validator.orka.dev | Client and Administration Requirement for Certificate Validation | ||
Permit Orka Network | HTTPS | loki.orka.dev | Administration Requirement for monitoring Stack | ||
Permit Orka Network | HTTPS | orka.dev | Catch-all for the URL | ||
Permit Orka Network | HTTPS | pypi.org | Administration Requirement for Docker Authentication | ||
Permit Orka Network | HTTPS | pypi.org | Administration Requirement for Docker Authentication | ||
Permit Orka Network | HTTPS | auth.docker.io | Administration Requirement for Container images | ||
Permit Orka Network | HTTPS | charts.jetstack.io | Administration Requirement for Container images | ||
Permit Orka Network | HTTPS | fedoraproject.org | Administration Requirement for Container images | ||
Permit Orka Network | HTTPS | edge.kernel.org | Administration Requirement for Container images | ||
Permit Orka Network | HTTPS | files.pythonhosted.org | Administration Requirement for python dependencies | ||
Permit Orka Network | HTTPS | gchr.io | Administration Requirement for Container and Client images | ||
Permit Orka Network | Github | Client and Admin Requirement for OCI | |||
Permit Orka Network | HTTPS | quay.io | Administration Requirement for Container and Client images | ||
Permit Orka Network | HTTPS | packages.cloud.google.com | Administration Requirement for Container images | ||
Deny Orka Network | ANY | A catch all deny rule if traffic doesn't match the above |
Updated about 2 months ago