Since the firewall you use only works with IP addresses in the rules, maybe allow your miners to 8.8.8.8 and 8.8.4.4 port 53 for DNS? Set your miners DNS to those 2 IP's, then you wouldn't have to worry next time an IP changes. Just throwing out options for you..
That won't work for him either. The shortcoming (not going to say problem) is that the firewall would need to do the DNS lookup at the time it boots (and maybe periodically to refresh) to determine what firewall rule to put in place and it doesn't support that.
The "fix" would be to allow all outbound traffic to TCP port 3333, but that would open him to up his miners being able to connect to pools he doesn't want them to (which I would assume is what is trying to be prevented).