By default, all requests arriving at the pi, coming from the internet (WAN), are blocked. Only requests coming from your local LAN are allowed.
To do this, Raspbmc uses iptables. It’s like a firewall, and uses a set of rules to determine if a request has to be blocked or not.