not only will you need ports 137 138 and 139 opened between your internal network and the DMZ, but you must permit broadcasts with a helper address for each hop in between your server and the client request. Hope this helps!
Do you have any protection what so ever? I would advise that you look into picking up a generic dsl/cable modem router and refuse to forward any ports internal. Next, if possible; build a BSD, or Linux IP filtering NAT/FW device. You can combine all ...
Remember that you can control the flow of traffic in both directions. So specify the two devices explicitly in any access-list, or statis nat config with the designated port/service specified. To garner the most out of the configuration, consideratio...