You don't necessarily have to set tcp / udp ports up to be publically accessible, for that matter if you care about your internet'in, you could have a box set to specifically answer clients coming from the public net, and do the heavy lifting elsewhere. Anybody not completely sure of their internet facing machines and what ports are in use needs to go back and check this aspect of their setup, end of story. Title would be better phrased as "internet server administrators should do their homework."

For your single box installations, you could possibly do something along these lines, or maybe just rent space on wordpress dot com 😉

http://stackoverflow.com/questions/4961177/how-to-listen-only-to-localhost-on-mongodb