But if they have to be exposed then a firewall won't help, and if they don't have to be exposed to the internet then a firewall isn't needed either, just configure them not to listen on non-local interfaces.

This sounds like an extremely effective foot gun.

Just use a firewall.

I'm not sure what you mean, what sounds dangerous to me is not caring about what services are listening to on a server.

The firewall is there as a safeguard in case a service is temporarily misconfigured, it should certainly not be the only thing standing between your services and the internet.

A firewall is a safeguard, period. Like the firewall between the driver and engine in a car.

If you're at a point where you are exposing services to the internet but you don't know what you're doing you need to stop. Choosing what interface to listen on is one of the first configuration options in pretty much everything, if you're putting in 0.0.0.0 because that's what you read on some random blogspam "tutorial" then you are nowhere near qualified to have a machine exposed to the internet.

Don't do anything until you are an expert is excellent gatekeeping, fortunately this is hacker news so we can ignore the gatekeepers!

I suggest people fuck around and find out, just limit your exposure. Spin up a VPS with nothing important, have fun, and delete it.

At some point we are all unqualified to use the internet and we used it anyway.

No one is going to die because your toy project got hacked and you are out $5 in credits, you probably learned a ton in the process.

Absolutely. Thank you.