>>joseph+(OP)
It should have the proxy set up but leave opening the port to the user.
No other sever software that I know of touches the firewall to make its own services accessible. Though I am aware that the word being used is "expose". I personally only have private IPs on my docker hosts when I can and access them with wireguard.