So, actually, you've been running a 'not very open wifi' ... worse, seems you're actively playing Big-Brother on unsuspecting users. I guess those tcpdump logs must have gotten you quite a bit of login/pwd credentials. Not that I care that much. If you log on to some unknown SSID you're implicitly giving up all "rights". IMHO that's true for anonymous wifi as well as the UTP port in your hotel room. Heck, I often wonder how much of my paid-for traffic is being traced/rerouted/throttled/manipulated by my ISP.
Anyway, to be honest, I think you're a bit harsh on Skype and iCloud. I have no experience with the latter but I have Skype running 'all the time' although almost exclusively for chat. So if I'd connect on our network, I'd get black-listed "instantly" although I'd probably would not want to do anything other than check email, see if any messages are queued on Skype and browse around a bit.
If everyone would use these 'rules' for his "public" wifi we'd soon all be running VPN services that route all traffic via port 443 leaving 'volume' to be the only viable measurement left.... So why not simply skip all the complexity and ban abusers when they are hoarding the connection ? I honestly don't understand what it is you are trying to protect here, it's not like 'exotic ports' are a scarce commodity or anything... Simply turn on quotas and throttle whomever tries to get more out of it than seems reasonable. I'm pretty sure I do a lot less 'damage' to your network with 'my' Skype than some random guy watching HD Youtube videos.
PS: IMHO you also seem to be naively paranoid about 'hackers' willing to put in effort to circumvent your rules... do you honestly believe someone will be that desperate ? In an extreme case scenario I can see some bored neighbour taking a stab at it just for fun, not because he actually needs it but rather because a closed up system screams 'hack me' to the 'initiated'. Once he had his fun and that itch is over (s)he'll be gone again but you'll probably go all mental if you read the logs =)