Haven't read TFA yet, but I think you're expecting too much from your firewall here. These bulbs are hosts, and they're inside the perimeter. They have been hacked, so they send malicious traffic to other inside hosts. What the hell is a firewall going to do about that?
I'm not talking about an edge firewall - I'm talking internally, firewalls are able to trivially stop traffic from reaching the hosts which they could attack. Now, depending on your network configuration this may need to be done partially by the switch (ie: separate VLAN for such devices) and edge firewall, by separate NATs or by firewalls on the hosts themselves.
EDIT: My simple solution (the one I had in mind) is to make a firewall box - a cheap linksys router with custom firmware can be set up to act as a switch but will also follow iptables rules. This serves the same sort of purpose as a hardware firewall in the middle of a corporate network but at lower performance. Bulbs connect to switch/WAP outside of firewall, hosts connect inside it. Everything behind it is then restricted from accessing the bulbs or viceversa.
Haha that's not what I thought of when reading a response to api's comment. If you want to call it a "firewall on the host" after 'api called it a "secure device", then perhaps the disagreement is merely one of terms. Either way, the host uses some method to ignore unwanted packets. I don't think this new "on the host" version of "firewall" is very much in keeping with etymology, which is probably why I was confused.
Well as I mentioned there it doesn't necessarily have to be on the host, that's just one option. At home I use the linksys based solution I mentioned in my edit which was more the way I was thinking - and probably more comparable to commercial firewall appliances like you might be thinking of but deployed internally and on a cheaper scale.
WiFi networks already have to have substantial smarts in the router. Adding firewall logic to that wouldn't take much. On simple networks it's typically the same device already.
