Some cursory googling indicates that most people don't use the --zone=public. I don't know firewalld well, the iptables command used to be something like
iptables -I INPUT 5 -s 192.168.1.0/24 -p udp -d 0/0 --dport 137:139 -j ACCEPT
iptables -I INPUT 6 -s 192.168.1.0/24 -p tcp --syn -d 0/0 --dport 137:139 - ACCEPT
But that's from years ago, and I don't remember if I ever checked if it needed both udp and tcp. I also remember that grc used to consider opening port 139 a risk.
EDIT: See Flying Dutchman's post below, apparently those ports are no longer needed.