Index: /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10578)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10579)
@@ -12,4 +12,5 @@
 # 8) Overrides default route for local orginating traffic to specific ports, needed for
 #    for normal proxy setup, which should NOT follow the iLeiden default route.
+# 9) Protect the Wireless Network from junk traffic.
 wl_net="172.16.0.0/12"
 allow_ext_tcp="{ssh, domain}"
@@ -65,4 +66,10 @@
 pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto udp from any to !$wl_net port {53} user != unknown keep state
 
+# By default deny all outgoing traffic to avoid systems spamming the network (9)
+block out on { $captive_portal_interfaces } from any to !$wl_net
+
+# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
+pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { 80, 443 } keep state
+
 # External interface is permissive (4)
 block on $ext_if