A Bastion Host Firewall is a dual-homed server that, for one thing, does not allow any IP datagram forwarding. This forces the users (both external and internal) to 'logon' to specially written applications. These applications could handle things as proxy, socks, or simply log all access.
This would allow, for example, for your internal users to Telnet to the Bastion Host Firewall (logon), then Telnet from the firewall to the external network. At the same time external users would not (at all) be able to Telnet to the Bastion Host.
SEC067