So the Securestacks do not allow re-ordering of the policy. So there is no top->down execution of rules. There is a precedence. So the rules that are most complex (like your top rules with /24 bit masks, should hit first, and then your simplest ones (like ARP ethertype) should be hit last.
I think another approach to it is to look at the Unregistered Rule set that is part of the default policy domain. It effectively allows minimal traffic to talk to a NAC and get an IP address and do DNS, but no IP traffic (because the default policy is to Deny traffic). It may be a good model to work from.