I'd probably prefer doing this at lower layers like pf, since I know how to reload those configs via cron, and since I want to avoid unwanted or malicious packets to even make it to the syslog code.
I was just surprised to find no recipe online, it's apparently more of a niche case than I thought. Worth documenting, probably.
I think I may be able to stitch something together with periodically reconfigured packet filters, but I'd appreciate an existing solution.
Bonus points if running on freebsd.