oh, no sorry, that wont work, you need to get the request allowed and then send a filter ID with it. deny is deny, meaning no access.
dont have a NPS around current, but isnt there some final catch all statement which default to deny, cant you turn that to allow with a filter ID?