The firewall will allow you to set up gateways for NetBIOS services (UDP/TCP port 137 for the NetBIOS name service, UDP port 138 for the NetBIOS datagram service, and TCP port 139 for the NetBIOS session service). If enabled, these services can optionally be gatewayed with no address translation, and with access allowed from either inside or outside (but subject to the normal source address/port and user restrictions). UDP NetBIOS broadcasts can also be gatewayed, with the broadcast address of the other interface being substituted as the destination address.
If NAT is disabled for NetBIOS, internal IP addresses will be exposed to the outside world in this case; furthermore, you will require the external hosts to be able to route responses back to the hosts behind the firewall. All of this is highly undesirable. Nonetheless, we have allowed this capability as some of our clients have wanted to keep certain hosts on the external network, and need bidirectional NetBIOS services between these hosts and internal hosts.
We strongly advise that NetBIOS services are only gatewayed if your Internet router is configured to filter all incoming NetBIOS traffic. That is, use NetBIOS gateways if you need NetBIOS services between internal hosts and one or more external hosts, provided the external hosts lie behind your Internet router, and do not allow any NetBIOS traffic from beyond your Internet router. By containing the service in this way, the risk should be acceptable. Alternatively, you should enforce user authentication for these services.