I have a fedrora core 2 system running as a router, firewall, and proxy server. I have the squid proxy configured using an external ACL to redirect to a terms of service page until the user has accepted them.

I want to be able to block all ports instead of just http until the user has accepted the terms. Currently I am using shorewall as the firewall.

Is there anyway to dynamically update shorewall to block all ports except the transparent proxy redirect of port 80 to port 3128 for all users and then add certain users that are allowed full access?

I would imagine it's better to have the ACL referenced from the ports you want to control,
using port re-direction to move outgoing request to the proxy, ie transparent,
rather than closing the ports and forcing auth only on 80

There is a patch-o-matic patch for netfilter & iptables called condition
I use it to check a dynamically stored variable, eg after a successful pam auth, an OK value (1) is written to /proc/net/ipt_condition/web_ok/192.168.1.21/ to signify that ip is allowed to pass web traffic