Intel's zero-day problem

It's going in every direction, not just one. When you're dealing with security, you deal with layers. You can't rely on just one layer to be secure, so you hedge and harden everywhere you can.

A host packet filter isn't going to help if your NIC is siphoning off packets for consumption by a management engine before it reaches the host network stack. You should certainly have such a filter, but you can't rely on it exclusively.