Basically, the (iptables) firewall can’t block it and this article explains why:
Before I came across the article I was doing the exact thing the author was doing: flush the existing firewall rules, then implement three rules to block INPUT, OUTPUT and FORWARD. I.e., block all packets. And yet, if I then use $dhclient -r to drop the DHCP lease followed by $dhclient -v to renew it, the router would respond with a new IP address. I thought I had a simple test for blocking broadcast packets but I didn’t.