I'll add my 2 cents here. First, the previous poster is correct. Port 139 is essentially a windows hack although some SAMBA exploits do/did exist. If you're using SAMBA it's a good idea to fw it off from the outside. However, if you're not using SAMBA and that's a closed port on your system, fw'n it off simply isn't anymore effective than letting the packet run it's standard course. An attempt to connect to closed port isn't a security risk, in and of itself. Ports don't magically open because of such an attempt, nor is it a standard DOS vulnerability. Hence, it's a fool's errand to attempt to identify and block all those ports in which a potential vulnerability exists given certain ports popularity varies over time. Better that each system admin block appropriate ports as needed, (see security advisories for each port you chose to install) and have the admin learn the hard way if need be.
IMO it would really be desirable not to let pf, or whatever fw is implemented, to be morphed into another snake-oil firewall like norton, mcafee, zone alarm, <insert branded firewall here> or any other security bastardization