I feel that there's no longer a such thing as a trusted network anymore.
Because one can install owncloud or other db dependent services without installing the firewall, I just feel that inexperienced users are better served to be inconvenienced by figuring out how to make their db available to other clients than to have their server open to the admittedly rare instance that something is lying in wait on their 'trusted' network. It's awesome that we run the secure script against a new mysql install, closing test account etc, I ran a basic Nessus scan against ns7 with oC and mysql available on green from which it was scanned and it came back without trigger, but still...
I feel that anyone running a server has a responsibility to a least try to ensure their server isn't going to be serving nefarious purposes other than their own, and if they're making a db available to other than localhost then they should have an idea of what their doing.
From a vps standpoint I would be inclined to have more closed by default, basically all but http and https... like ntp, slapd, I just don't make that available unless I need it.
