I'm not sure why you would need to do that? It is becoming increasingly common for providers to block ports 139,138,137 so you may not even be able to. In itself netbios outside the network is not dangerous it just that you dont want to brodcast and you need to configure your system so that access to sharing is not available except what you specifically want to grant access to and to whom. Lots of exploits exist for 137-139.
Edit: If you are talking about sharing withing the network and using netbious just open up a range inside the network -like 192.168.254.1 - 192.168.254.9, your firewall rules should still keep you secure from know attacks. Its possible I dont understand the question? Also what firewall do you use?