Make firewall 'one size fits all'

my_etc/npf.conf

@@ -1,12 +1,7 @@
 # TODO: Allow in ICMP(v6) by message type
 # TODO: Rate-limit ssh
 
-# ICMP(v6)
-alg "icmp"
-
-group "services" in on vioif0 {
-      pass stateful proto tcp to any port ssh
-}
+$services = { mdns, ssh }
 
 group "localhost" in on lo0 {
       pass stateful all
@@ -16,6 +11,8 @@ group default {
       # Default rule
       block all
 
+      pass stateful in proto { tcp, udp } to any port $services
+
       # Let it goooooo
       pass stateful out all
 }