I use wildcard tls certs and wildcard dns records for my domains. this ensures that no service can be easily accessed unless you have full domain name. For example If you have plex and deluge then you have to set dns records to plex.abc.xyz and dns.abc.xyz. This can be seen by anyone else trying to find vulnerabilities. But if you have wildcard certs/dns, all anyone can see from outside is *.abc.xyz, only the reverse proxy (eg nginx) knows the domain.
Don’t forward any ports unless you have to. Don’t run any service on 0.0.0.0 unless you have to. Incoming ports on the internet can be super dangerous.
A safe way to do self hosting is with WireGuard, just setup a wireguard container on the server then you can access all the services anywhere when connected from a client without exposing any tcp ports.
For connections why not try traceroute? mtr traceroute
To see things within a packet you can use WireShark.