Sure, but the issue here wasn't because the default behavior surprised OP. OP needed a service that was accessible from a remote endpoint, so they needed to have some connection open. They just (for some reason) chose to do it over public internet instead of a private network.

But regardless of software used, it would have led to the same conclusion, a vulnerable service running on the open internet.