Something almost no firewalls get right is pausing connections (NOT rejecting them) until I've decided whether to allow or not. The only firewalls I've seen do this are Little Snitch for Mac, and Portmaster for Windows (before they made it adware / started locking existing local features behind the subscription).
Firewalls don't do this because they are built at the wrong layer to do proper pending calls. It's too narrow of a design space for most firewalls to care.
True, most firewalls aren't built to pause for user input. But then again, that's why almost no firewall software is suitable for this user experience.
I use Portmaster (on Linux) and I have never seen ads (either in the app or apps that get their DNS from Portmaster) on it. About the only thing I saw different between the free version and the base level paid for version was traffic history and weekly reports (and badges on Discord if that's your kind of thing).
Both used to be free. And you may not consider it advertising when unavailable features exist in the free UI just to tell you they're paid, but I do. Especially when they used to be free.
OpenSnitch seems to do this just fine? Unless I’m misunderstanding your point. Connections seem to just block until I take an action on the dialog. Now, if an application itself has specified a short timeout (looking at you, NodeJS-based stuff), that obviously doesn’t help. But for most software it works great.