I've found someone implementing a simple captive portal that might be
candidate. Any comments on the basic approach (though of course the devil is
in the details)?

<snip>
The centeral feature of my design I borrowed from nocat, is that the
redirect goes to a "special" httpd on port 5280,  this server takes not of
the origin URL and presents a special page with an "login" button.  the
login button does a cgi GET passing the "I Agree" and the URL to an https
page on the router which uses (if login mode) Authenticate: to get the
username/password, or just opens the firewall for that IP (previously
provided by DHCP).  A cron job (to be written) keeps track of the
connections and times them out by whatever method is chosen (when idle,
after a set time, etc...)

so far I have everything but the firewall manipulation and cron coded.  This
is all Linux, and a severly hacked httpd.
</snip>

Now I know we don't have cron but perhaps we can fake it with an appropriate
sleep loop. Also, I assume there's no problem with, worse case, hacking a
different mini_httpd together (though it would use half our 100k memory
budget).

Then there's the firewall rule compatibility between ipfw2 and whatever
Linux uses. Anyone have info on that?

cheers, michael