So what does this do exactly? If it used "default deny" or "default allow" you wouldn't have both allow and deny rules...