I'd vote for both.
First, ask yourself if the service you're going to use should be reachable from the public internet. If not, then bind the service to localhost. Additionally, your firewall should be configured to drop all connections by default (iptables default policy "DROP") and only allow those ports that should be publicly reachable (like HTTP/HTTPS) or restricted to your admin IPs (like SSH).
For example, if you don't want to provide access to MySQL from the outside world, then bind the service to localhost _and_ make sure no firewall rule permits connections to port 3306 from the public internet. That way you'll have 2 layers of security: If somebody by accident turns off or misconfigures your firewall then the service would still be unreachable to the public network. The same is true if you by accident bind the service to 0.0.0.0 instead of 127.0.0.1, in that case the firewall would make sure nobody can connect.