I have a couple rules in place to allow traffic in from specific IPs. Right after these rules I have rules to block everything else, as this firewall is an "allow by default" type.
The problem I'm facing is that when I replace these two ports to match "Any" instead, those machines (matrix server and game server) are unable to perform apt-gets.
I had thought that this should still be allowed, because the egress rules for those two permit outbound traffic to http/s and once that's established it's a "stateful" connection which should allow the traffic to flow back the other way.
What am I doing wrong here, and what is the best way to ensure that traffic only hits these servers from the minimal number of ports.
Are you able to, say, wget 1.1.1.1?
Maybe it's just DNS, since it's UDP based there is no state, although some firewalls do detect requests and treat it as pseudo-stateful.