Hi,
I don’t really understand the main question here, I’ll do my best to reply to identified questions.
The firewall rules are applied to the whole qube, it does not work per application. The rules are applied on the netvm of the qube, so it does not know anything about what is running in the qube it’s filtering.
This is the default on Qubes OS, when you use official and community templates.
You want to allow incoming connections when you need two qubes to do some networking between each other, or if you want to expose a service to your LAN. When you do so, you know you need to, otherwise do not over-think things.
From the other questions and the context, I suppose you want to restrict a program to reach a single/couple remote server(s) and block all other connections.
For that, you need to know the remote server(s) address(es) and the protocol in use, and its port. For instance, IMAPS operates on port TCP 993, so if your mail provider IMAP server address is mail.foobar.example, then the rule would be to allow mail.foobar.example in the address, on protocol TCP and port 993.
By using a domain name instead of an IP, you do not need to resolve the IP of that domain name, and update it every time it change. For some LAN services, there are no domain name so you can only use an IP address.
For many websites, there can be multiple IPs behind a domain name, and they can rotate pretty fast (like behind a CDN or big load balancer), so this just do not work more than a few minutes in best case. A solution would be something like this, but it does not work with every protocol and is unfortunately hard level for people with little network and Linux knowledge. URL filtering HTTPS proxy