Advanced Security Linux Mint Xfce laptop setup

Last updated
Feb 4, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint Zara
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Using Linux sandboxing: AppArmor for print, Firejail for accessories and Flatpak for applications. Added OpenSnitch outbound application firewall to compliment inbound GuFW.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
Running standard user and sticking to official repo's and verified publishers. Added only a few hardening tweaks (removed execution rights from txt files, only allow admin to view logs/debug/etc, enabled ASLR system wide, set minumim TLS, disabled P2P). Enabled additional firejail profiles with firecfg and stripped flatpak permissions with flatseal.
Periodic malware scanners
None, using VirusTotal when downloading something.
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Brave with all build-in Ad Shield disabled using two profiles. My work profile has default website permissions and Microsoft Defender Browser Protection as only extension. The (default) surfing profile has most website permissions on block and AdGuard advertising and Kees1958 anti-tracking filters enabled with extra rules to enhance security (TLD firewall).
Secure DNS
  1. NextDNS in the Router with OISD plus telemetry blocklists enabled (for IOT devices) and limited the Top Level Domain scope (by manually blocking them one by one).
  2. We use Quad9 as default DNS for our Laptops and Smartphone (to bypass TLD scope limitations of router) because Quad9 is set & forget and good at malware blocking.
  3. In the browser (DOH) we use Cloudflare Zero Trust free plan with firewall policies and a personalized custom block page.
Desktop VPN
None, because my ISP uses dynamic IP allocation and I use my own router so our IP and IP location are changed regularly :-).
Password manager
Build-in
Maintenance tools
None
File and Photo backup
FreeFileSync
Subscriptions
    • None
System recovery
TimeShift
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 laptop with 1 TB SSD and 16GB RAM
Notable changes
Keeping my setup as simple as possible. The only extra's I have are themes (for LibreOffice, Thunderbird and Brave).
  • 2025-12-04 Replaced DOH in browser (ControlD free with AppGuard DNS filter) with OS default (Quad9) because of website breakage
  • 2025-12-26 Tried Cloudflare Zero trust free plan in browser (DOH) using security and content categories as DNS firewall policies.
  • 2026-01-08 Finalized Cloudflare Zero Trust setup by adding geo based (resolved IP) policies (and a custom blockpage)
  • 2026-01-16 Finalized extension & filter tweaking (see post)
  • 2026-02-04 Added Microsoft Browsing Protection to work profile
What I'm looking for?

Looking for minimum feedback.

LinuxFan58 said:
Yes, but my experience is that it skips static rules like ||example.org$script and only used the cosmetic rules.
Click to expand...

Well, obviously your rule is a network rule, not a cosmetic rule.;)
A network rule can only be added using DNR rules.

Although Gorhill does not encourage the extensive use of network rules that may conflict with those of the lists subscribed to in the extension.
 
I see you use Thunderbird.
If you want to try increasing Thunderbird's sandbox level, this is possible.
Some AI will tell you that you can't go beyond a certain level, or, as in my case, they insert threads that I created years ago.
Some AI might even claim that this is not possible or doesn't work.

If, on the other hand, you prefer to leave Thunderbird's level at the default value, in this js you will find how to harden Thunderbird, in a similar way to Firefox:

thunderbird-user.js/user.js at master · HorlogeSkynet/thunderbird-user.js
 
  • Thanks
Reactions: LinuxFan58
Sampei.Nihira said:
I see you use Thunderbird.
If you want to try increasing Thunderbird's sandbox level, this is possible.
Some AI will tell you that you can't go beyond a certain level, or, as in my case, they insert threads that I created years ago.
Some AI might even claim that this is not possible or doesn't work.

If, on the other hand, you prefer to leave Thunderbird's level at the default value, in this js you will find how to harden Thunderbird, in a similar way to Firefox:

thunderbird-user.js/user.js at master · HorlogeSkynet/thunderbird-user.js
Click to expand...
Thanks I am on holiday until the 26th without laptop, but will certainly look into it. May I PM you when I have questions?
 
Last edited:
Nice and secure configuration you have there. Btw, is the built-in password manager KeepassXC or something else?
 
  • Thanks
Reactions: LinuxFan58
I am currently on holiday and found out that Google has something called Apps Script which you can use to automate stuff like auto deleting mail in Gmail.

I forward all my ISP email to my (2nd) Gmail account and excluded this Gmail account in my unified (search folder) inbox in Thunderbird to automatically check it on virus by Google.

Until now I manually deleted all those emails in my (second) Gmail account (only setup for this purpose), but will write a script when back from holiday.
 
  • Like
Reactions: Sampei.Nihira and lokamoka820
Back to my original setup only replaced ControlD with Cloudflare Zero Trust free plan (thanks @rashmi for posting).

Brave with Brave Shields disabled and uBol plus Avira as only extensions in my work profile (Avira with tracking protection and uBol only with custom rules and all filterlists disabled). In my surfing profile I use no extensions and have set to Brave Shield to Aggressive mode with anti-fingerprinting enabled.
 
Last edited:
  • Like
Reactions: lokamoka820, Sampei.Nihira and harlan4096
The website permission settings of my surfing profile :)

1766838840708.png
 
Last edited:
  • Like
Reactions: Sampei.Nihira
Removed Avira because Cloudflare with Zero Trust performed surprisingly well when trying some random malware and phishing links.

Using uBol in both work and surfing profile. In work profile I only have custom Cosemetic and DNR-rules for some bookmarked websites. For surfing I use uBol only to reduce the attack surface (together with the tight website permissions should increase security).

____________ posting scrambles the indentation ___________
---
#
# Upgrade HTTP to HTTPS when available
#
priority: 40
action:
type: upgradeScheme
condition:
urlFilter: http://
---
#
# Block scripts of unsafe HTTP connections
#
priority: 30
action:
type: block
condition:
urlFilter: http://
resourceTypes:
- script
---
#
# Block protocols that are normally not needed for casual internet surfing
#
priority: 30
action:
type: block
condition:
urlFilter: magnet://
---
priority: 20
action:
type: block
condition:
urlFilter: telnet://
---
priority: 30
action:
type: block
condition:
urlFilter: slack://
---
priority: 30
action:
type: block
condition:
urlFilter: org-protocol://
---
priority: 30
action:
type: block
condition:
urlFilter: vscode://
---
priority: 30
action:
type: block
condition:
urlFilter: apt://
---
priority: 30
action:
type: block
condition:
urlFilter: irc://
---
priority: 30
action:
type: block
condition:
urlFilter: git://
---
#
# Block resources mis-used for tracking or posing a security risk
#
priority: 20
action:
type: block
condition:
resourceTypes:
- csp_report
- ping
- object
- webbundle
---
#
# Block links containing executable Linux formats
#
priority: 20
action:
type: block
condition:
regexFilter: /.*\.(appimage|bin|deb|elf|py|pyc|pyo|pyd|pyw|pyi|pyz|ipynb|sh|rpm|run)\b/
---
#
# Block request outside EU-zone and 5 eyes countries
#
priority: 10
action:
type: block
condition:
excludedRequestDomains:
- com
- edu
- io
- net
- org
- EU
- AT
- BE
- BG
- HR
- CY
- CZ
- DK
- EE
- FI
- FR
- DE
- GR
- HU
- IE
- IT
- LV
- LT
- LU
- MT
- NL
- PL
- PT
- RO
- SK
- SI
- ES
- SE
- NO
- CH
- IS
- LI
- GB
- UK
- CA
- US
- AU
- NZ
---
Click to expand...
 
Last edited by a moderator:
  • Applause
Reactions: Sampei.Nihira
@LinuxFan58

It is interesting to note that your rule in uBoL that blocks Beacon (object) does not intercept JavaScript, does not intercept browser APIs, and does not intercept sendBeacon.
The navigator.sendBeacon() API is blocked by one of my rules that you are familiar with.
It allows data to be sent in the background even when the user leaves the page, without blocking loading and without being easily intercepted.
It is one of the preferred APIs for modern tracking.
Even though the percentage of website breakage, especially for payments, is high.

I chose it for greater Beacon coverage.
Let me show you the results of the rule's prevention as processed by ChatGPT 5.2:

1.png

;)
 
Last edited:
  • Like
Reactions: LinuxFan58 and Khushal
Okay I admit, could not do anything today because trains were cancelled due to excessive weather conditions (snow and storm Goretti). So I cancelled the meeting and started playing with Cloudflare. Wanted to increase privacy a little so I reduced the logs to block only and enabled removing sensitive information (free plan has fixed retention period). Watched another episode of Gangs of London and filled my time with the absolute summon of useless activity by changing ...

1768235550264.png

..... the looks of the Cloudflare blockpage (matching it with Google safe browsing block page).:ROFLMAO::ROFLMAO::ROFLMAO:

The use of setting your own blockpage is that you can add a custom reason per policy (reden: website toont verdacht gedrag en is dus een veiligheidsrisico). Only for Ads and Deceptive ads firewall policy I am NOT using a blockpage.
 
Last edited:
Because of @Andy Ful malware filter testing (y) and @Sampei.Nihira adfilter optimization testing(y), I added two extensions:
  • Work profile: Avira Safe browsing with anti-tracking enabled. The mild anti-tracking compliments nicely with the mild advertisement blocking of Cloudflare. Also Avira's URL filtering provides best results when testing malware, phishing and fake shopping links in combination with Cloudflare and Google Safe Browsing.
  • Surfing profile: Privacy Badger in learning mode (l know it can be misused, but it has never occurred in the wild) to compliment Brave's adblocking. This combo resulted in the lowest third-party exposure after a day of surfing.
Security and privacy wise I should be okay with Avira Safe Browsing and Privacy Badger extensions (one is bound to strict German privacy regulations and the other is developed by the Electronic Frontier Foundation).

Setup finalized :unsure:
 
Last edited:
  • Like
Reactions: Sampei.Nihira
LinuxFan58 said:
Because of @Andy Ful malware filter testing (y) and @Sampei.Nihira adfilter optimization testing(y), I added two extensions:
  • Work profile: Avira Safe browsing with anti-tracking enabled. The mild anti-tracking compliments nicely with the mild advertisement blocking of Cloudflare. Also Avira's URL filtering provides best results when testing malware, phishing and fake shopping links in combination with Cloudflare and Google Safe Browsing.
  • Surfing profile: Privacy Badger in learning mode (l know it can be misused, but it has never occurred in the wild) to compliment Brave's adblocking. This combo resulted in the lowest third-party exposure after a day of surfing.
Security and privacy wise I should be okay with Avira Safe Browsing and Privacy Badger extensions (one is bound to strict German privacy regulations and the other is developed by the Electronic Frontier Foundation).

Setup finalized :unsure:
Click to expand...

Get this:

1.png


Could you get more?
Maybe, I don't have any experience with Brave's built-in adblock.

I would block 1p script on all websites outside your TLDs in your aggressive profile.

You would also get 3p script blocked at the same time.
Almost certainly 3p frames too.

+ Privacy/security without adding extensions.

However, I have some doubts about this aspect (frame) in PB.
It would be better to ask the AI.

I would leave PB in your moderate profile.

If you're interested in trying it, I'll write down the simple rules, which I'm sure you can write yourself.;)
 
Last edited:
Brave in Aggressive mode also blocks first party. I use PB in learning because it shows third-party exposure also. When those 3P are useless (from user experience perspective) connections I block them in PB. Until now I only added 1 domain.

I used uBol only allowing some trusted TLD's but the number of blocks were zero. Same with your rules in AG you pm-ed.

With my surfing behavior Brave Shields seem to do very well. This is why I want to know what the actual 3P exposure is.
 
  • Like
Reactions: Zero Knowledge, piquiteco and Sampei.Nihira

You may also like...