After configuring VRF to route public prefixes into the fabric, I scanned ip address of default gateway in this public prefix, which is leaf's VLAN interface in VRF "public". And I found out few ports being accessible: 10050, 22, 179. First two: easy part, just disable zabbix-agent and ssh services in default VRF and run them in mgmt VRF. It should be done anyway.
But what about FRR, which - I guess - is responsible for BGP's port 179.
Another check confirmed that port 179 seem to be open in default VRF (scanned VLAN default gateway ip address from server).
Is that by design? I find it a security issue. How to solve this?