I have a vm for which I have s specific whitelist only firewall. It is supposed to only allow connections to the IPs an app connects to when syncing.
I first got the sync server IP's listening to tcpdump, then when I had the IP's I activated the whitelist.
This worked perfectly for some time, but now it appears that the IP's have changed. I could do the same thing again but repeating the process regularly is annoying and defeats the whole purpose of only ever allowing network connections to specific whitelisted serves.
Alternatively, I could set up a process to only allow network traffic from that app somewhat.
Those addresses can change arbitrarily often. Depending on what it is that you are actually trying to achieve with measures like this, you could do something that doesn't involve shoehorning an infrastructure detail into a security policy.
You might be able to simply ask DNS for the current IP addresses. If done regularly, you basically give control over your security perimeter to anyone in a position to influence nameserver responses, which might or might not be something you want.
You could use Syncthing. If your NAT router supports UPnP, which most do, you don't need to worry about the firewall. If for some reason it doesn't just work you can forward 22000 tcp/udp. It's device to device and doesn't depend on IP addresses.