I’ve been thinking here… If hostapd is running on IPFire and providing an access point (blue), anyone who is a client to that access point has no choice but to go through IPFire. Because it’s not the outer host that provides the AP. So far, mission acomplished.
However, if the host machine is connected to the ISP modem through an Ethernet cable and feeding IPFire’s red interface, IPFire cannot protect the host’s outer interface from the wild wild web. The host machine is then vulnerable.
I don’t even know what role green would ever play in this kind of arrangement.