ufw firewall rules for security.debian.org

ufw firewall rules for security.debian.org What is a practical way to manage a whitelist of firewall outgoing connection rules for http://security.debian.org (on a server that blocks all outgoing connections by default)? My understanding is that security.debian.org is a CNAME to several mirror IPs, and it is advisable to use only IP addresses (not hostnames) in firewall rules. At the moment I simply add newly resolved IPs to security.debian.org to my firewall (ufw) outbound rules as I discover them. However this is cumbersome and doesn't allow for automated apt-get updates. Can anyone suggest a better way? PS: I found the following page somewhat relevant but it did not provide a solution: http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html