Usually, if you have iptables running, the conntrack mechanism will track the back-channel and allow it for you.
The comment in the link refers to older firewall styles that blanket block udp ports, making the newer dns fail...
So, if you don't have any dns problems, you are seeing the port was used by named as a back-channel. It may stay in the conntrack list for several hours,depending on the timeout period for udp ports.
Have a blanket udp block if you use iptables
smb uses a combination of udp and tcp ports.
tcp for name resolution and udp for data. three ports in total, 137, 138 & 139.
There isn't any way to restrict the 0.0.0.0:137 & 0.0.0.0:138 udp entries.
If, of course, I am wrong, I get to taste my woolen hat,
again.
It really doesn't matter if the box is listening, so long as you control the ports with rules, & -j LOG entries, to be sure.
Have you seen this
tutorial?