I don't know how to say it better than I did in the post you were replying to. I'll try, but perhaps you should read it again.
You can stop almost everything you don't want coming in with a non-stateful static ACL on the upstream router or something like a 3750 switch. The web server or reverse proxy or whatever you have then only has to handle traffic destined for port 80 ( and perhaps ssh from a couple of IP's ). A switch or a router can run that ACL in hardware at the line rate of the port without operating a state table at all, and it doesn't give the attacker a new easy way of taking your site out.
Theres no reason why the host can't have local firewalling too, but it is pretty well irrelevant at that point.
Well hopefully you aren't going to be consulting on anything important that gets deployed.
A stateless ACL on a switch or router that does it in a hardware path will do just fine dropping packets destined for unintended services, and it won't act as an additional attack vector.
A firewall in front of a server farm is a 'layer' that only does harm, and does not do any good.
We have assigned 14
Spend that effort and money on deploying IPv6 instead.
We use up almost 2
You could go through every one of those and fight the massive legal battle to get them all back ( probably taking us well beyond the date when we are out anyway ), and you have only bought a year or two.
Save yourself the trouble and deploy IPv6, instead of making lawyers rich and then deploying IPv6.
Whoever was telling you that we were going to run out in one year five years ago was probably smoking methamphetamines at the time.
The IANA free pool will run out next year, probably before mid year.
The point at which you can't actually receive any more addresses won't come until the RIRs exhaust the blocks that they have received from IANA which might not be for another year after that.
I don't know where you have been getting your predictions. It is pretty certain that IANA is going to run out of space about the middle of next year.
We have 14
Are you betting on the ipv4 space usage magically decreasing ( right when everyone will start freaking out about getting their last allocations )?
Promising costs nothing, it's the delivering that kills you.