IMNSHO you are doing something wrong if you rely on firewalls to protect your servers.
Instead, you should simply have services listening on specific interfaces, only exposing those that are actually intended to be exposed.
Admittedly hard to do for SMB on Windows though :-(
Being able to filter traffic can sure come in handy, and perhaps provide an extra layer in case you screw up the config somewhere, but the response to unwanted services running shouldn't default to "firewall".
And if you need to talk Telnet/SMB/etc over the interwebs, use a damn VPN. SMB is unlikely to get through from consumer providers and corporate networks anyways.