You can filter Blue->Red, Blue->Green, Blue->Orange traffic by MAC.
System access rules as far as I know are referred to rules that allow client to access the firewall, just for admin the firewall.
You need to block also that?
But how? I've tried in the outgoing firewall. I created a rule denying Blue -> Red, then above that a rule allowing only specific mac addys. But even if I leave only the deny all blue rule enabled, I still can access the net on blue.