Advanced Security Linux Mint Xfce laptop setup

Last updated
Feb 4, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint Zara
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Using Linux sandboxing: AppArmor for print, Firejail for accessories and Flatpak for applications. Added OpenSnitch outbound application firewall to compliment inbound GuFW.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
Running standard user and sticking to official repo's and verified publishers. Added only a few hardening tweaks (removed execution rights from txt files, only allow admin to view logs/debug/etc, enabled ASLR system wide, set minumim TLS, disabled P2P). Enabled additional firejail profiles with firecfg and stripped flatpak permissions with flatseal.
Periodic malware scanners
None, using VirusTotal when downloading something.
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Brave with all build-in Ad Shield disabled using two profiles. My work profile has default website permissions and Microsoft Defender Browser Protection as only extension. The (default) surfing profile has most website permissions on block and AdGuard advertising and Kees1958 anti-tracking filters enabled with extra rules to enhance security (TLD firewall).
Secure DNS
  1. NextDNS in the Router with OISD plus telemetry blocklists enabled (for IOT devices) and limited the Top Level Domain scope (by manually blocking them one by one).
  2. We use Quad9 as default DNS for our Laptops and Smartphone (to bypass TLD scope limitations of router) because Quad9 is set & forget and good at malware blocking.
  3. In the browser (DOH) we use Cloudflare Zero Trust free plan with firewall policies and a personalized custom block page.
Desktop VPN
None, because my ISP uses dynamic IP allocation and I use my own router so our IP and IP location are changed regularly :-).
Password manager
Build-in
Maintenance tools
None
File and Photo backup
FreeFileSync
Subscriptions
    • None
System recovery
TimeShift
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 laptop with 1 TB SSD and 16GB RAM
Notable changes
Keeping my setup as simple as possible. The only extra's I have are themes (for LibreOffice, Thunderbird and Brave).
  • 2025-12-04 Replaced DOH in browser (ControlD free with AppGuard DNS filter) with OS default (Quad9) because of website breakage
  • 2025-12-26 Tried Cloudflare Zero trust free plan in browser (DOH) using security and content categories as DNS firewall policies.
  • 2026-01-08 Finalized Cloudflare Zero Trust setup by adding geo based (resolved IP) policies (and a custom blockpage)
  • 2026-01-16 Finalized extension & filter tweaking (see post)
  • 2026-02-04 Added Microsoft Browsing Protection to work profile
What I'm looking for?

Looking for minimum feedback.

Sampei.Nihira said:
@LinuxFan58

Think about it.;)

The Clinic | Reportajes, columnas, entrevistas, humor, memes y más.


View attachment 294762
Click to expand...
When I click on the link, the Top Level Domain firewall rule in AdGiard shows a blockpage (y)

1768669604297.png


After I choose Proceed anyway, I can acces the website (y)

1768669718832.png



While third-party connections outside Schengen and 5 Eyes are blocked (y),

1768669967421.png


Above behavior is exactly what I want, what am I missing, please explain?
 
Last edited:
  • Like
Reactions: Zero Knowledge and Sampei.Nihira
As you can see, your image is identical to mine, but I also have the 1p script block.

So total protection against XSS clients.
Total protection against JS fingerprinting.
First-party tracker blocking...

Ask the AI this simple question:

"Does blocking only 3p + 3p scripts + 3p frames eliminate all possible privacy/security issues?"

Of course, I occasionally have to write a 1p script exception rule.
But with only 9 TLDs, there are only 5 exception rules so far.
It's not a big deal for me.

Have a good evening.
 
  • +Reputation
Reactions: LinuxFan58
After six days od no False Positive (AdGuard TLD firewall breaking websites), I replaced AG by uBol (is a tad faster in Speedometer 3.1 than AG, 18.8 in stead of 18.7)

EDIT and yes the 8th day I encounter a TLD block again, so reverted back to AdGuard (using the log function I see what is blocked) :ROFLMAO:

In the past I had two classic bikes and could spend saturdays fiddling with carburetors, needles, yets and pre-ignition to optimize the engine. I recognize the same tweaking frenzy with uBol and AG in my two Brave profiles. :)
 
Last edited:
  • Like
Reactions: Zero Knowledge and Sampei.Nihira
Dropped adblocking in Cloudflare, back to security related block policies only.

1770319683882.png
 
Last edited:
Added Microsoft Defender Browser Protection as only extension to my work profile.

1770239768893.png
 
Last edited:
  • Like
Reactions: Zero Knowledge

You may also like...