Benchmarks 3.4.2 and 3.4.3 ensure that /etc/hosts.allow and /etc/hosts.deny are configured—this means that, for all services that process these two files, only connections from networks that are allowed are actually processed. 

This is generally a good idea—however, many organizations have good firewalls and some actually have policies of not allowing local firewalls on their servers because it complicates the process of debugging. If a connection is denied, the more firewalls you have, the more you have to check to find out where it was denied.

Thus, it is recommended you apply these two benchmarks in accordance with your corporate security policy.