authpf and rdr

[Christoph Schneeberger <cschnee_(_at_)_box_(_dot_)_telemedia_(_dot_)_ch>]

Hi,

I have at home an OpenBSD 3.1 firewall (due to upgrade to 3.2 soon), 
which has 4 legs, one of which is a wireless interface.
Now currently I allow only traffic from this leg from users/ips that 
have authenticated by ssh/authpf. This works perfectly in theory but in 
reality it always turns out that the folks that bring their notebook 
with them don't have putty or any recent ssh client installed. I find 
myself often then running around with a floppy disk copying putty on 
their notebooks which I would like to avoid with a more "chique" 
solution as described below:

Why not redirect all outgoing web connections from the wireless leg with 
the following line to an internal website carrying a short introduction 
and putty to download:

rdr on wi0 from any to any port 80 -> 10.1.1.2 port 80

This way the user just opens his browser et voila.
And thats great, all outgoing requests go to this website. Cool so far.

But here it gets complicated. After the user downloaded putty and 
authenticated himself with a valid account, how could I remove the above 
rule or make it obsolete so that the user actually can reach external or 
internal websites on port 80 ?
The only I've come up is to quasi superseed this rule by specifying a 
proxy somewhere like in authpf.nat

rdr on wi0 from to any to any port 80 -> 10.1.1.1 port 8080

But I would really like to just remove the above ruleset for 
authenticated users.
Either I am overlooking something trivial or I am just not "innovative" 
enough ;)
So has anybody and idea how I could solve this ?
If I missed an important manual or web page please let me know and 
accept my apologies for wasting your time, I really did my best 
searching the archives and reading man pages.

TIA,
Christoph Schneeberger