When an exploit action is executed on any host in a subnet connected to the Internet, the firewall between the Internet and this subnet cannot check the permission of this action. For example, in a medium_single_site scenario, if the e_ftp action is executed on host (1,0), it can be done even if the firewall only allows the http service.
I had fix version in my side. If it acceptable, I can create a pull request.