For an extra level of protection you may want to add some Packet Filtering between the Bastion Host Firewall and the external network. Often this could be provided by the ISP who installs and configures the IP router for you.
The Packet Filtering router would be used as the first line of defense. Only traffic from/to networks on certain ports will be allowed. Once through the Packet Filter, then the rogue hacker must do battle with the Bastion Host Firewall, but with a limited range of ports and protocols due to the effects of the Packet Filter.
DMZ stands for De-Militarized Zone. This is a region where the rogue hacker could stand - but without most of his weapons (like Telnet, FTP, etc) due to the effects of the Packet Filter.
SEC068