If you are using Windows file sharing on a Mac server, it automatically sets itself to allow those ports to be allowed through. If you are using a separate firewall then it is not the Mac you need to configure. However it is not a good idea to allow these ports to be usable directly over the Internet. You should instead setup a VPN server (which could be the Mac server). The PC would connect to the VPN server and then be able via the VPN connection to contact the file server.
In general, yes, use a VPN to restrict access to a server that doesn't need to be publicly-accessible, and don't open ports to the Internet. The Internet gremlins can and will find the open ports, and can and will poke at them. Incessantly. Even if the gremlins don't breach your system security due to a protocol-level vulnerability or a poorly-chosen password, they'll certainly fill your server logs trying.