I’m saying unless you read the code you’re running, including the firmware and the kernel, how can you trust there isn’t a remote execution exploit?
A packet filtering firewall isn't able to protect against server, or protocol exploits directly. Sure, if you know that connections originating from a specific IP are malicious, then you can drop connections originating from that IP, but it will not be able to direclty protect against application layer exploits.
There do exist application layer firewalls (an example of which was pointed out to me here (opensnitch)), but those are out of the scope of this post.