Some services, such as NetBIOS, use more than one port. In this case it might be easier to define the range of ports first and then refer to this range in the actual rule. The port range for NetBIOS (incl. LDAP and Terminal Services) is defined by adding the following line to the top of the file, before the rules:
ports_win = "{ 137, 138, 139, 445, 389, 3389 }"
and the actual rule is
block in on $ext_if proto { tcp,udp } from any to $internal_net port $ports_win