You need to be very careful where you deploy such a router. Setting this up with a tftp-enabled port (often all Ethernet ports) exposed to a school network would be madness.
Typically only from port 0. I'm not disagreeing with you, but...
The attacker (malicious student) in your scenario has direct access to a switch port, and (unless it's at the other end of a patch panel) direct access to the WRT as well. So if he can trigger a reboot of the WRT, he can reflash it with an arbitrary firmware. This process takes about ten minutes. (0)
I'm assuming that he doesn't have direct access to it, it's a router in a comms cabinet. He has minimally supervised physical access to network ports though (eg a school or internet café). Another openwrt router plugged into the network hidden under a desk sending out tftp packets at regular intervals wouldn't necessarily be noticed for a while in such a situation and could be installed easily. The breed of hardware can be derived easily enough from the MAC address and the instructions for flashing are readily available. Blocking the special MAC address required for the tftp process (02:AA:BB:CC:DD:1A for g300nh2) would probably suffice though if you have a switch capable of such things. James