Last edited:
Linux Mint Cinnamon Wayland setup
- Thread starter LinuxFan58
- Start date
- Last updated
- Jun 1, 2026
- How it's used?
- For work or educational use
- Operating system
- Linux
- Other operating system
- Linux Mint 22.3 Zena Cinnamon Wayland
- On-device encryption
- Other full-disk drive encryption software
- Log-in security
- Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
- Security updates
- Allow security updates and latest features
- Update channels
- Allow stable updates only
- User Access Control
- N/A - Linux / Mac / Other operating system
- Smart App Control
- N/A - Linux / Mac / Other operating system
- Network firewall
- Enabled
- About WiFi router
- TP-Link triband with IPv6 disabled, We use the three WIFI-networks seperately. The 2.4 Ghz is used for IoT-devices and guest (SPI-, NAT, ARP-filtering and intrusion detection enabled). The two 5 Ghz networks are for my wife and I (each uses his/her own) with additionally IP-MAC binding and MAC filtering enabled. I have set the e-mail log message level to critical events (acting as a rudimentary NIDS). The 5Ghz network has eternal lease time while 2.4 Ghz has short lease time (8 hours) and network partitioning enabled.
- Real-time security
- Non root user using build-in Linux sandboxing (AppArmor, Firejail, Flatpak) as extra protection layer.
- Firewall security
- Built-in Firewall for Mac/Linux
- About custom security
- Using only official package sources from verified publishers and de-installed all unused accessoires and applications.
- Mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide.
- Created additional Firejail profiles with firecfg and reduced Flatpak permissions with flatseal.
- Added OpenSnitch outbound application firewall to compliment inbound GuFW.
- Installed logcheck with e-mail warning for security alerts & events
- Using Wayland (experimental) on Cinnamon desktop.
- Brave-Origin policies and site-pernissions.
- Vibe coded Download Sentinel
- Periodic malware scanners
- When I receive files from others I scan them with Virus Total. My half yearly data backups to external USB are scanned with Microsoft Defender
- Malware sample testing
- I do not participate in malware testing
- Environment for malware testing
- None
- Browser(s) and extensions
- Brave-Origin with Brave adShield disabled and my two vibe coded security extensions. Using uBlockOriginLite with custom rules, added Kees1958 on ChatGPT's advice for blocking over 80% of the tracking requests!. For annoying websites I enable Brave adShield on-demand (in aggressive mode with Brave's adblock, AdGuard's URL parm, Easylist cookie and Fanboy/uBo annoyances filters enabled).
- Secure DNS
- NextDNS in the Router with OISD and telemetry blocklists enabled (for IOT devices), allowing only common TopLevelDomains to connect.
- We use Quad9 as default DNS (at OS-level) for our Laptops and smartphones (to bypas router TLD firewall restrictions)
- Cloudflare Zero Trust Free plan (with malware protection) is used as DOH in browser with custom block page..
- Desktop VPN
- Proton VPN free for Linux on-demand (out of home). At home I have little use for VPN because our IP and IP location are changed regularly
.
- Password manager
- Build-in (OS and Browser)
- Maintenance tools
- None
- File and Photo backup
- FreeFileSync quick on-demand backups to a partition on my internal SSD to which sandboxed utilities, desktop accessoires and applications have no access to.
- The half yearly full backup saves to an external USB-SSD which is checked (afterwards) by Microsoft Defender on my wife's laptop (which has triple USB protection).
- Subscriptions
- None
- System recovery
- TimeShift (to another partition on 1 TB SSD)
- Risk factors
- Browsing to popular websites
- Working from home
- Making audio/video calls
- Opening email attachments
- Buying from online stores, entering banks card details
- Logging into my bank account
- Streaming audio/video content from trusted sites or paid subscriptions
- Computer specs
- AMD Ryzen 7 (5700U) laptop with 1 TB SSD and 16GB RAM
- Notable changes
- To many
After jumping back and forth, I finally decided for:
- Changed from ControlD free to Cloudflare free ZT
- Replaced 7-zip (unsandboxed) with PeaZip in Flatpak
- Moved from LibreOffice in Flatpak to LibreOffice in Firejail
- Moved from Thunderbird to Evolution (both in Flatpak sandbox)
- Moved from Xfce desktop with X11 to Cinnamon desktop with Wayland
- What I'm looking for?
Looking for maximum feedback.
I ended up with chrome://flags and switch, these flags are mostly experimental and more you tweak them more you 're unique in fingerprinting, now i just use templates in a json and use regular chromium : ON DEBIAN
Thanks for joining, care to explain your mysterious nickname? I think the 64 is your year of birth, but now Idea what 7Oz stands for
7 oz stands for 7 ounces, a unit of measurement in the US Customary System that can refer to either weight (for solids) or volume (for liquids),
Common items that weigh or contain approximately 7 oz include a medium apple, a medium cooked chicken breast, a small can of soda, or a standard smartphone.
You're most WelcomeThanks for joining, care to explain your mysterious nickname? I think the 64 is your year of birth, but now Idea what 7Oz stands for
7 oz stands for 7 ounces, a unit of measurement in the US Customary System that can refer to either weight (for solids) or volume (for liquids),
Common items that weigh or contain approximately 7 oz include a medium apple, a medium cooked chicken breast, a small can of soda, or a standard smartphone.
You just find a new Thread to create if not already!!!
Ah you give two bad answers, some hints :
64 refer to something in my avatar (soup), and the second one is from India.(solid)
Good Luck!!!
Okay I see a Linux cannibal who has Ubuntu on a stick and boils a pot of soup from windows.You're most Welcome
You just find a new Thread to create if not already!!!
Ah you give two bad answers, some hints :
64 refer to something in my avatar (soup), and the second one is from India.(solid)
Good Luck!!!
In India, the number 64 (Hindi: चौसठ or चौंसठ) is culturally significant primarily for the 64 Arts (Chausat Kala), a classical catalog of skills including singing, dancing, painting, and playing instruments.
7Oz is also the weight of a hamster, so you are the mysterious dancing hipster from india, who magically can brew windows functionality into his ubuntu setup
That explains it all, how could I miss that
Last edited:
I read that avatar's picture as native of the Ubuntu tribe boiling Windows soup for dinner.
@LinuxFan58
I see you're using NextDNS cli, you can install this applet for always see if it's active or deactivate by something else.
Work ONLY on Cinnamon Flavor :
I see you're using NextDNS cli, you can install this applet for always see if it's active or deactivate by something else.
Work ONLY on Cinnamon Flavor :
JSON:
/home/$USR$/.local/share/cinnamon/applets/nextdns@local
Two files to put in folder
file applet.js :
const Applet = imports.ui.applet;
const PopupMenu = imports.ui.popupMenu;
const Util = imports.misc.util;
const GLib = imports.gi.GLib;
class NextDNSApplet extends Applet.TextIconApplet {
constructor(metadata, orientation, panelHeight, instanceId) {
super(orientation, panelHeight, instanceId);
this.set_applet_tooltip("NextDNS");
this.menuManager = new PopupMenu.PopupMenuManager(this);
this.menu = new Applet.AppletPopupMenu(this, orientation);
this.menuManager.addMenu(this.menu);
this._buildMenu();
this._updateStatus();
this._startTimer();
}
_buildMenu() {
this.menu.removeAll();
this.menu.addAction("Ouvrir les logs", () => {
Util.spawnCommandLine("gnome-terminal -- journalctl -u nextdns.service -f");
});
this.menu.addAction("Démarrer", () => Util.spawnCommandLine("systemctl start nextdns.service"));
this.menu.addAction("Arrêter", () => Util.spawnCommandLine("systemctl stop nextdns.service"));
this.menu.addAction("Redémarrer", () => Util.spawnCommandLine("systemctl restart nextdns.service"));
}
_updateStatus() {
let [ok, out] = GLib.spawn_command_line_sync("systemctl is-active nextdns.service");
let status = out.toString().trim();
if (status === "active") {
this.set_applet_icon_path(GLib.get_home_dir() + "/.local/share/YOUR PNG ICON PATH");
this.set_applet_tooltip("NextDNS actif");
} else {
this.set_applet_icon_path(GLib.get_home_dir() + "/.local/share/icons/YOUR PNG ICON PATH");
this.set_applet_tooltip("NextDNS inactif");
}
}
_startTimer() {
GLib.timeout_add_seconds(GLib.PRIORITY_DEFAULT, 2, () => {
this._updateStatus();
return true;
});
}
}
function main(metadata, orientation, panelHeight, instanceId) {
return new NextDNSApplet(metadata, orientation, panelHeight, instanceId);
}
File metadata.json :
{
"uuid": "nextdns@local",
"name": "NextDNS Status",
"description": "Indicateur d'état du service NextDNS",
"version": 1
}For Browsing, IMHO, i found Brave really good for security, speed and outside privacy, but too much things on board, this is why i use Chromium without any flags or switch just pass a long time to setup granular policies for the best result in privacy and security and most important surfing without problem (banking..........).
See my set of policies if you're interested, i am also curious about how did you set your kernel's parameters if you do.
See my set of policies if you're interested, i am also curious about how did you set your kernel's parameters if you do.
JSON:
{
"AIModeSettings": 1,
"BuiltInAIAPIsEnabled": false,
"GeminiActOnWebSettings": 1,
"GenAILocalFoundationalModelSettings": 1,
"HelpMeWriteSettings": 2,
"DevToolsGenAiSettings": 2,
"BlockThirdPartyCookies": true,
"BrowserAddPersonEnabled": false,
"BrowserGuestModeEnabled": false,
"BrowserGuestModeEnforced": false,
"BuiltInDnsClientEnabled": false,
"DnsOverHttpsMode": "off",
"EnableMediaRouter": false,
"ShowCastIconInToolbar": false,
"MediaRouterCastAllowAllIPs": false,
"PasswordManagerEnabled": false,
"PaymentMethodQueryEnabled": false,
"SpellCheckServiceEnabled": false,
"SyncDisabled": true,
"SafeBrowsingDeepScanningEnabled": false,
"SafeBrowsingExtendedReportingEnabled": false,
"MetricsReportingEnabled": false,
"UserFeedbackAllowed": false,
"UrlKeyedAnonymizedDataCollectionEnabled": false,
"DomainReliabilityAllowed": false,
"SearchSuggestEnabled": false,
"GoogleSearchSidePanelEnabled": false,
"NetworkPredictionOptions": 2,
"QuicAllowed": false,
"HardwareAccelerationModeEnabled": true,
"ClearBrowsingDataOnExitList": [
"browsing_history",
"download_history",
"cookies_and_other_site_data",
"cached_images_and_files",
"password_signin",
"autofill",
"site_settings",
"hosted_app_data"
],
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": [
"jobpjnhlpobhgdddaeifllnbbleopibe",
"ddkjiahejlhfcafbddmgiahcphecmpfh",
"oboonakemofpalcgghocfoadofidjkkk",
"aghfnjkcakhmadgdomlmlhhaocbkloab",
"icpgjfneehieebagbmdbhnlpiopdcmna"
],
"DefaultSearchProviderEnabled": true,
"DefaultSearchProviderKeyword": "search",
"DefaultSearchProviderName": "StartPage",
"DefaultSearchProviderSearchURL": "https://www.startpage.com/do/search?query={searchTerms}&prfe=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"DefaultSearchProviderSuggestURL": "https://www.startpage.com/osuggestions?q=%s&prfe=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"HomepageIsNewTabPage": false,
"HomepageLocation": "https://www.startpage.com/do/mypage.pl?prfe=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"NewTabPageLocation": "https://www.startpage.com/do/mypage.pl?prfe=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"ShowHomeButton": true,
"DownloadDirectory": "/home/$USER$/Bureau",
"DefaultDownloadDirectory": "/home/$USER$/Bureau",
"AutoplayAllowed": false,
"DefaultGeolocationSetting": 3,
"DefaultSensorsSetting": 2,
"OriginKeyedProcessesEnabled": true,
"SandboxExternalProtocolBlocked": true,
"NetworkServiceSandboxEnabled": true,
"AudioSandboxEnabled": true,
"TLS13EarlyDataEnabled": false,
"RemoteAccessHostAllowRemoteAccessConnections": false,
"RemoteAccessHostAllowRemoteSupportConnections": false,
"RemoteAccessHostAllowClientPairing": false,
"RemoteAccessHostAllowFileTransfer": false,
"RemoteAccessHostAllowUrlForwarding": false,
"RemoteAccessHostFirewallTraversal": false,
"RemoteAccessHostAllowPinAuthentication": false,
"RemoteAccessHostRequireCurtain": false,
"SafeBrowsingSurveysEnabled": false,
"SafeBrowsingProxiedRealTimeChecksAllowed": false,
"QRCodeGeneratorEnabled": false,
"PromotionsEnabled": false,
"MediaRecommendationsEnabled": false,
"AutofillAddressEnabled": false,
"AllowDinosaurEasterEgg": false,
"AutofillCreditCardEnabled": false,
"AutofillPredictionSettings": 2,
"BatterySaverModeAvailability": 0,
"SitePerProcess": true,
"DefaultFileSystemWriteGuardSetting": 2,
"DefaultWebBluetoothGuardSetting": 2,
"DefaultWebUsbGuardSetting": 2,
"DefaultWebHidGuardSetting": 2,
"DefaultSerialGuardSetting": 2,
"DefaultNotificationsSetting": 2,
"DefaultClipboardSetting": 2
}
Last edited:
@7Oz-64
I only mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide. I made a few changes from a website which claimed what to do when first installation linux Mint, but onyl the ones that made sense to me (e.g. reduce swapiness, I think I have set it to 10)).
My policies
{
"SitePerProcess": true,
"SandboxExternalProtocolBlocked": true,
"AudioSandboxEnabled": true,
"SafeBrowsingProtectionLevel": 1,
"DownloadRestrictions": 1,
"PromptForDownloadLocation": false,
"DownloadDirectory": "my download folder¨
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "my free Cloudflare Zero Trust ",
"HttpsOnlyMode": "force_enabled",
"DefaultBraveHttpsUpgradeSetting": 2,
"DefaultInsecureContentSetting": 2,
"DefaultFileSystemWriteGuardSetting": 2,
"DefaultWebBluetoothGuardSetting": 2,
"DefaultWebUsbGuardSetting": 2,
"DefaultWebHidGuardSetting": 2,
"DefaultSerialGuardSetting": 2,
"JavaScriptBlockedForUrls": [ "FILE:///*" ],
"JavaScriptOptimizerBlockedForSites": [ "HTTP://*" ],
"RemoteAccessHostAllowRemoteAccessConnections": false,
"RemoteAccessHostAllowRemoteSupportConnections": false,
"RemoteAccessHostAllowClientPairing": false,
"RemoteAccessHostAllowFileTransfer": false,
"RemoteAccessHostAllowUrlForwarding": false,
"RemoteAccessHostFirewallTraversal": false,
"RemoteAccessHostAllowPinAuthentication": false,
"RemoteAccessHostRequireCurtain": false,
"PasswordManagerEnabled": false,
"AutofillAddressEnabled": false,
"AutofillCreditCardEnabled": false,
"BrowserGuestModeEnabled": false,
"BrowserAddPersonEnabled": false,
"BackgroundModeEnabled": false,
"MetricsReportingEnabled": false,
"SearchSuggestEnabled": false,
"GenAILocalFoundationalModelSettings": 1,
"PromotionsEnabled": false,
"BraveRewardsDisabled": true,
"BraveWalletDisabled": true,
"BraveNewsDisabled": true,
"BraveVPNDisabled": true,
"BraveShieldsDisabledForUrls": [
¨Lots of websites +20
]
}
I only mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide. I made a few changes from a website which claimed what to do when first installation linux Mint, but onyl the ones that made sense to me (e.g. reduce swapiness, I think I have set it to 10)).
My policies
{
"SitePerProcess": true,
"SandboxExternalProtocolBlocked": true,
"AudioSandboxEnabled": true,
"SafeBrowsingProtectionLevel": 1,
"DownloadRestrictions": 1,
"PromptForDownloadLocation": false,
"DownloadDirectory": "my download folder¨
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "my free Cloudflare Zero Trust ",
"HttpsOnlyMode": "force_enabled",
"DefaultBraveHttpsUpgradeSetting": 2,
"DefaultInsecureContentSetting": 2,
"DefaultFileSystemWriteGuardSetting": 2,
"DefaultWebBluetoothGuardSetting": 2,
"DefaultWebUsbGuardSetting": 2,
"DefaultWebHidGuardSetting": 2,
"DefaultSerialGuardSetting": 2,
"JavaScriptBlockedForUrls": [ "FILE:///*" ],
"JavaScriptOptimizerBlockedForSites": [ "HTTP://*" ],
"RemoteAccessHostAllowRemoteAccessConnections": false,
"RemoteAccessHostAllowRemoteSupportConnections": false,
"RemoteAccessHostAllowClientPairing": false,
"RemoteAccessHostAllowFileTransfer": false,
"RemoteAccessHostAllowUrlForwarding": false,
"RemoteAccessHostFirewallTraversal": false,
"RemoteAccessHostAllowPinAuthentication": false,
"RemoteAccessHostRequireCurtain": false,
"PasswordManagerEnabled": false,
"AutofillAddressEnabled": false,
"AutofillCreditCardEnabled": false,
"BrowserGuestModeEnabled": false,
"BrowserAddPersonEnabled": false,
"BackgroundModeEnabled": false,
"MetricsReportingEnabled": false,
"SearchSuggestEnabled": false,
"GenAILocalFoundationalModelSettings": 1,
"PromotionsEnabled": false,
"BraveRewardsDisabled": true,
"BraveWalletDisabled": true,
"BraveNewsDisabled": true,
"BraveVPNDisabled": true,
"BraveShieldsDisabledForUrls": [
¨Lots of websites +20
]
}
Is the “MetricsReportingEnabled” policy useful in Linux?
In Windows, not at all:
Chrome Enterprise Policy List & Management | Documentation
In addition, Brave uses the BraveP3AEnabled policy:
https://support.brave.app/hc/en-us/articles/360039248271-Group-Policy
In Windows, not at all:
Chrome Enterprise Policy List & Management | Documentation
In addition, Brave uses the BraveP3AEnabled policy:
https://support.brave.app/hc/en-us/articles/360039248271-Group-Policy
You may also like...
-
Linux Mint Devs Prep Wayland-Native Cinnamon Screensaver for Linux Mint 23- Started by lokamoka820
- Replies: 1
-
Linux Mint Will Adopt a Longer Development Cycle Starting with Linux Mint 23
- Started by lokamoka820
- Replies: 1
-
Cinnamon 6.6 Desktop Environment Released with Redesigned Application Menu
- Started by lokamoka820
- Replies: 41
-
Ubuntu, Fedora, Linux Mint Eye Age Verification Amid California Law Backlash
- Started by lokamoka820
- Replies: 1
-
Linux Mint 22.3 "Zena" is Officially Available Now! Introduces Two New Apps
- Started by lokamoka820
- Replies: 1