the only way to achieve it, ATM, is to setup SME as server only, set its IP as public and disable useless services via db commands (remember to reboot the server after that)
please be aware that some services can't be shut down (dns for example) and so they are reacheble form the "private" lan.. for example, let's say your IP is 11.22.33.44/24, your dns service will be reachable from every IP of that subnet.
you could modify, via template, services' behaviour to make them listen on localhost only.. I remember I tried some time ago, but I didn't spend much time and I didn't get anything usefull
IIRC there's a NFR about it