    I think the public/privite thing was added to late to allow it to apply 'by network'.

    You don't need 'Public' to activate the firewall. The firewall works just fine on 'Private' networks. 'Public' just goes one step further and disables all exceptions.