I know this sounds mad, but I am just experimenting on my test server
order to get a better grasp of the how filtering works. What I want
to do
is to allow a user to login from the public IP to the server while
protecting the private side.

I understand that this will require NCP filters with UDP and TCP
involving port 524, but I'm not sure as to how to set up the filter
exceptions. Like how the source and destination interfaces would be
to me they would both be set to public. Would there be a query and
responce filter? And how would the source/destination Address be set.
I have been looking through the TID's for a reference to this but the
that I have found have not been very helpful.

Any help would be welcome as I find this whole filter exception
rather confusing.

My test server use a public IP address of mask,
which is simular to my production server.