newbie: Proxy as Bastion Host?

[Andre Anneck <andre.anneck () pmbs de>]

Hi there,

I have been reading the security advisories of FreeBSD, Linux,  read the
book "SATAN" from O'Reillly,
 and browsed through a lot of web-information about Firewall concepts etc.

I did all this because I am in need to present a Firewall concept to our
managers... *sweat*.
Now the Question.
I read that as bastion host is usually used as a proxy, socks,
auhtentification server that resides before the firewall. The idea behind
this bastion host is to only allow certain connection types _from_ the
bastion host to the firewall, and block off all other request of these
connection types. [right/wrong?]

Now, what I didnt find in the books is a good explanation WHY it would be
better to have the "proxy" outside as a bastion host, instead of behind the
firewall. The firewall could basically work as a proxy too...
Now as I trust the books when they say its better to have proxy be a bastion
host, I still have to explain the WHY to our managers....
Can someone explain the Why to me? 

TIA,
 Andre Anneck