TCP wrapper "except" option

I configured the /etc/hosts.allow at the machine 192.168.122.50 with the following option. sshd : ALL EXCEPT 192.168.122.1 and tried ssh root@192.168.122.50 from the machine 192.168.122.1 and I was able to connect to the machine 192.168.122.50 as root. Then I added the the following rule to the /etc/hosts.deny file at 192.168.122.50 sshd : 192.168.122.1 Again, I tried ssh root@192.168.122.50 from the machine 192.168.122.1. But this time I was **not able to connect** and I got the error ssh_exchange_identification: Connection closed by remote host This made me doubt the actual behaviour of the EXCEPT directive in /etc/hosts.allow and /etc/hosts.deny. Below is what I understand from this. If we put the **EXCEPT** directive in hosts.allow, it only means that we are not allowing the particular host/network that comes after it but a connection is still possible **until** we explicitly mention that particular host/network in /etc/hosts.deny. To put it simply **not allowing does not mean denying** If we put the **EXCEPT** directive in hosts.deny, it means that we are indirectly allowing the particular host/network to make a connection. To put it simply **not denying means allowing** Am I right in my judgement? Note 1: ssh daemon is restarted whenever I make a change in /etc/hosts.allow and /etc/hosts.deny even though it is not necessary. Note 2: I understand that allow has more priority than deny.