The best practice for installing your application on a server is to set the listen address to localhost on 8080. Your webserver will listen to port 80/443 and reverse them to localhost:8080 your application, so all incoming request must come through the webserver.
With the firewall you prevent that user can access your application directly on port 8080, because that one is blocked and only port 80/443 is available. So there are 2 security rules that prevent that user directly access your application: the firewall and the Mendix app: listen address to localhost.
With that context the debugger must also going through your webserver on port 80/443 and the webserver reverse it to localhost:8080.
If you're security minded you probably don't want to/shouldn't want to use the debugger in production anyway. It disturbs the flows of production users and allows a lot of access that you shouldn't normally have: ie a security risk :)