Yes they do.
Now my rules are :
- Allow any on server "internal GW ip address"
- Allow https on server "CP public ip address"
- Allow http on server "CP public ip address"
- Deny any to network "customer internal network"
- Allow any to all destinations
It makes no differences.