why- Open BSD .rocks

pf(4) (∞)

pf is OpenBSD’s very own firewall, since 3.0. It is simple and feature-rich and its configuration files are easy to read. It supports the use of variables, lists and tables.

tcpin = "{ http, https, ssh }"

block in all
pass out quick on $extif from any to any
pass in on $extif proto tcp from any to any port $tcpin

In fact, pf was often one of the top selling points for OpenBSD and many commercial firewall appliances are based on it.