I'd prefer to block them sending them in the first place
I do see the difficulty. An incoming packet has to pass through xinetd, where it can be intercepted by a firewall before arriving at an application. An outgoing packet, though, can be written straight to the port. It'd be nice, though, to have a way of preventing this, though.