I had to make something like this at work once (allow access during some hours deny it at other times. and they wanted it enforced at the packet level) and I was a new sys-admin and all I had was an old linux box with iptables. It was ending up as the normal iptables mess until I asked myself "self: how would pf do it?", "anchors. I said, pf would do it with anchors" and I did it that way. well as much as possible. It was by far my cleanest work with iptables.

It has been a while since I have had to mess with iptables but if I remember correctly(quickly reads the iptables man page) the equivalent to pf anchors in iptables is to use named chains then you can faf about loading and unloading the dynamic rules from the chains without messing with the static rules.

The whole thing really made me appreciate the design of pf. I think, strictly speaking, iptables is more capable than pf, but pf and openbsd in general, is far more ergonomic.