so, i had trouble believing that m0n0wall could have what appeared to be
such a serious flaw. long story short, it doesn't.
i put a machine running wireshark on the wan side of my m0n0, and found that
despite the logs showing packets being passed (because that's what the rules
say!), nothing was actually making it out the wan.
seems i misunderstood the way captive portal works. i assumed the CP
trapped packets BEFORE the rule filters. seems that's not the case. makes
sense i suppose, since to work properly DNS has to pass first.
however, this brings up an interesting question. what if CP were changed so
that there were TWO rule sets: one for un-authenticated traffic, another
for authenticated traffic. in a way, the pass-through functionality of CP
is a way of achieving this, but without the fine control that firewall rules
allow. would there be any value to this?