These requirements are similar to the balenaCloud network requirements; which is also the most up-to-date point-of-truth. In case that there is a firewall between balena devices and balenaMachine, each of these ports should work outward only (and inward once outward connection is established).
Additionally, you should allowlist the domain with a wildcard (e.g
*.balena.<your_domain>.com) with which the balenaMachine has been configured for the
ports listed on the balenaCloud network requirements.
The default NTP and DNS servers are on the Internet. You may configure the devices to use local addresses.