And by "forever" it is meant ~1994; see Cheswick and Bellovin (§3.1):
> Up to this point, we have used the words “firewall” and “gateway” rather casually. We will now be more precise. A firewall, in general, consists of several different components (Figure 3.1). The “filters” (sometimes called “screens”) block transmission of certain classes of traffic. A gateway is a machine or a set of machines that provides relay services to compensate for the effects of the filter. The network inhabited by the gateway is often called the demilitarized zone (DMZ). A gateway in the DMZ is sometimes assisted by an internal gateway. Typically, the two gateways will have more open communication through the inside filter than the outside gateway has to other internal hosts. Either filter, or for that matter the gateway itself, may be omitted; the details will vary from firewall to firewall. In general, the outside filter can be used to protect the gateway from attack, while the inside filter is used to guard against the consequences of a compromised gateway. Either or both filters can protect the internal network from assaults. An exposed gateway machine is often called a bastion host.
> Up to this point, we have used the words “firewall” and “gateway” rather casually. We will now be more precise. A firewall, in general, consists of several different components (Figure 3.1). The “filters” (sometimes called “screens”) block transmission of certain classes of traffic. A gateway is a machine or a set of machines that provides relay services to compensate for the effects of the filter. The network inhabited by the gateway is often called the demilitarized zone (DMZ). A gateway in the DMZ is sometimes assisted by an internal gateway. Typically, the two gateways will have more open communication through the inside filter than the outside gateway has to other internal hosts. Either filter, or for that matter the gateway itself, may be omitted; the details will vary from firewall to firewall. In general, the outside filter can be used to protect the gateway from attack, while the inside filter is used to guard against the consequences of a compromised gateway. Either or both filters can protect the internal network from assaults. An exposed gateway machine is often called a bastion host.
* https://en.wikipedia.org/wiki/Firewalls_and_Internet_Securit...
* https://archive.org/details/firewallsinterne00ches
Ingham and Forrest wrote a good history of firewalls:
* https://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf