Hi Jon,
LOL - YMMD! Sorry, this is a bit longer than I wanted. 
Explanation => actually, I asked a wrong/misleading question, but got an interesting answer:
Answer:
I totally overlooked the table with the two options for BLUE! Please don’t ask me why! 
So I originally added a CGI entry for BLUE which is only shown if BLUE exists. At the top of the page, right under the Masqerading ORANGE/BLUE-selections. These selections are only shown if (&Header::blue/orange_used()) is true in optionsfw.cgi.
Next I thought about adding the apppriate DNS- and NTP-REDIRECT rules to /etc/init.d/firewall. But where? And that was my original question. Where to put these rules in the firewall init script!? And is this script the right place? Is there something better?
For now, if I follow your proposal, the REDIRECT rules for GREEN would still go in /etc/init.d/firewall. Ok. And this question is still active: where is the right place to add the DNS- and NTP-REDIRECT rules for GREEN in /etc/init.d/firewall?
For BLUE it is different:
The REDIRECT rules for BLUE must be added in wirelessctrl.c, because the two rules for DROPPROXY and DROPSAMBA are managed by wirelessctrl.c (line 109ff). The table Firewall options for BLUE interface is shown even if BLUE doesn’t exist. There is no verification here. If BLUE doesn’t exist, this is handled in another way (line 78ff).
In the end, I would perhaps stick to your proposal, but it made me laugh that I overlooked this. We’ll see. Back to keyboard.
Best,
Matthias
EDIT:
Btw, it is very interesting how /var/ipfire/optionsfw/settings is processed:
CONNTRACK_TFTP=on (init-firewall)
DROPFORWARD=on (firewall-policy)
DROPPROXY=off (wirelessctrl.c)
CONNTRACK_H323=off (init-firewall)
DROPNEWNOTSYN=on (init-firewall)
DROPINPUT=on (firewall-policy)
SHOWREMARK=on (firewall.cgi)
FWPOLICY=REJECT (rules.pl, firewall-policy)
DROPWIRELESSFORWARD=on (wirelessctrl.c)
SHOWCOLORS=on (optionsfw.cgi. firewall.cgi)
NTP_FORCE_ON_GREEN=on ???
CONNTRACK_PPTP=off (firewall.cgi)
DROPOUTGOING=on (firewall-policy)
SHOWDROPDOWN=on (firewall.cgi, fwhosts,cgi, optionsfw.cgi)
DROPPORTSCAN=on (init-firewall, optionsfw.cgi)
CONNTRACK_IRC=off (init-firewall)
DROPWIRELESSINPUT=on (wirelessctrl.c)
MASQUERADE_GREEN=on (init-firewall)
FWPOLICY2=REJECT (rules.pl, firewall-policy)
SHOWTABLES=on (optionsfw.cgi. firewall.cgi)
CONNTRACK_SIP=off (init-firewall)
DROPSAMBA=off (wirelessctrl.c)
FWPOLICY1=REJECT (rules.pl, firewall-policy)
CONNTRACK_FTP=on (init-firewall)
DNS_FORCE_ON_GREEN=on ???