>     match if ( binary-to-ascii(16, 8, "", packet(24,4)) = "5e89bf41" );

You can write this as :
   match if (  packet(24,4 = 5e:89:bf:41 )

>where 5e89bf41 and 5e89bf1 are gateway ip addresses in hex.

5e89bf1 is missing a digit ?

>when i use
>         deny unknown-clients;
>         allow members of "ADSL_Universal_35";

Do you explicitly need to bar unknown clients ? If not, then "allow 
..." is sufficient to block any client not matching that class.

