Linux Mint Xfce practical maximum setup
- Thread starter LinuxFan58
- Start date
- Last updated
- Apr 30, 2026
- How it's used?
- For work or educational use
- Operating system
- Linux
- Other operating system
- Linux Mint 22.3 Zena Xfce
- On-device encryption
- Other full-disk drive encryption software
- Log-in security
- Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
- Security updates
- Allow security updates and latest features
- Update channels
- Allow stable updates only
- User Access Control
- N/A - Linux / Mac / Other operating system
- Smart App Control
- N/A - Linux / Mac / Other operating system
- Network firewall
- Enabled
- About WiFi router
- TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
- Real-time security
- Sticking to safe standards and using Linux sandboxing (AppArmor, Firejail, Flatpak) to contain utilities, accessoires and applications.
- Firewall security
- Built-in Firewall for Mac/Linux
- About custom security
- Using only official stable repositories from verified publishers and de-installed all unused accessoires and applications.
- Mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide.
- Enabled and created Firejail profiles with firecfg and stripped Flatpak permissions with flatseal.
- Added OpenSnitch outbound application firewall to compliment inbound GuFW.
- Installed logcheck with e-mail warning for security alerts & events
- Periodic malware scanners
- When I receive files from others I scan them with Virus Total. My half yearly data backups are scanned with Microsoft Defender
- Malware sample testing
- I do not participate in malware testing
- Environment for malware testing
- None
- Browser(s) and extensions
- Chrome with hardened policies and most site permissions on block with two browsing profiles (work and surfing) both using uBlockOrigin Lite with different rules and filters.
- Secure DNS
- NextDNS in the Router with OISD and telemetry blocklists enabled (for IOT devices), allowing only common TopLevelDomains to connect.
- We use Quad9 as default DNS for our Laptops for problem free malware filters (and bypas router TLD firewall limitation)
- In the browser (DOH) I use ControlD free with OISD basic filter (mild and unattended adblocking)
- Desktop VPN
- Proton VPN free for Linux on-demand (out of home). At home I have very little use for VPN because our IP and IP location are changed regularly
.
- Password manager
- Build-in
- Maintenance tools
- None
- File and Photo backup
- FreeFileSync quick on-demand backups to a partition on my internal SSD to which sandboxed utilities, desktop accessoires and applications have no access to.
- The half yearly full backup saves to an external USB-SSD which is checked (afterwards) by Microsoft Defender on my wife's laptop (which has triple USB protection).
- Subscriptions
- None
- System recovery
- TimeShift (to another partition on 1 TB SSD)
- Risk factors
- Browsing to popular websites
- Working from home
- Making audio/video calls
- Opening email attachments
- Buying from online stores, entering banks card details
- Logging into my bank account
- Streaming audio/video content from trusted sites or paid subscriptions
- Computer specs
- AMD Ryzen 7 (5700U) laptop with 1 TB SSD and 16GB RAM
- Notable changes
- 01-05-2026 Major overhaul (explained in this post)
- What I'm looking for?
Looking for maximum feedback.
My generic light/mild adblocking combined with on-demand blasting of advertisements and annoyances, has (besides performance and compatibility advantages) another advantage. It blocks third-party cookies which bypass the browser's build-in third-party cookie blocking (as explained by Leo AI)
AI explanation why I replaced Avira Browser Safety (when it moved from German privacy law to US law) with MalwareBytes Browser guard (with adblock off)
Avira when under German law had an only 7 day retention for blocked URL's (with IP Geolocation, not IP) and only collected anonymized telemetry totals of blocked URL's (running year stats). Now it is moved to Gen Digital (US Law), the tight German privacy laws are also abandoned. Funny to see when the context changes AI's interpretation also changes. Because Avira dropped in valuation AI increased its valuation for MBAM (increased from good to strong )
Avira when under German law had an only 7 day retention for blocked URL's (with IP Geolocation, not IP) and only collected anonymized telemetry totals of blocked URL's (running year stats). Now it is moved to Gen Digital (US Law), the tight German privacy laws are also abandoned. Funny to see when the context changes AI's interpretation also changes. Because Avira dropped in valuation AI increased its valuation for MBAM (increased from good to strong
)
Last edited:
I’m just reaching out because you changed the feedback.
I had Claude AI analyze your security configuration (it’s very trendy right now), and he suggested several areas that need attention.
Here are the ones I think you should check as soon as possible:
Let me know if Claude AI was helpful or not.
Thanks for your attention.
I had Claude AI analyze your security configuration (it’s very trendy right now), and he suggested several areas that need attention.
Here are the ones I think you should check as soon as possible:
Let me know if Claude AI was helpful or not.
Thanks for your attention.
Thanks my friend I really appreciate your tipsI’m just reaching out because you changed the feedback.
I had Claude AI analyze your security configuration (it’s very trendy right now), and he suggested several areas that need attention.
Here are the ones I think you should check as soon as possible:
Let me know if Claude AI was helpful or not.
Thanks for your attention.
, I installed USB Guard. Good addition, very helpful (also installed USBGuard notifier).Claude overlooks that I only install/update from official sources and with Linux it is impossible to install without user consent (as far as I know). So my mild HIDS (logcheck) and NIDS (router) do the job for me, considering everything non-basic OS is sandboxed or double sandboxed (like the browser and e-mail). I asked ChatGPT whether I should add something like AIDE, Tiger, SNORT or Suricata and it said it was not worth the trouble or overhead.
Moving to Fedora (with Sellinux) and Wayland woud be more productive (according to AI), but I will delay that until 2029 (remember @oldschool advice "stay safe, not paranoid" )
practical maximum is enough (not seeking absolute maximum).
Last edited:
Yes I use AI to criticize my security and identify gaps too.
Met a php/backend programmer, who uses Linux himself. He explained that running Chrome with (full sandbox) with a (partly crippled) Firejail is stronger then Chrome solo or Chrome (with crippled sandbox) in Flatpak. So dropped Brave (in Flatpak) for Chrome (in Firejail) and also replaced Cloudflare Zero Trust with ControlD free with OISD large (because of the obvious impact of losing Brave's adblocker),
CUPS (print) runs in AppArmor, all desktop accessoires. Libre Office and Chrome run in Firejail and Teams plus Evolution in (stripped) Flatpak. Evolution uses Bubblewrap to sandbox the HTML renderer and is itself also sandboxed in Flatpak. The programmer uses Fedora.
CUPS (print) runs in AppArmor, all desktop accessoires. Libre Office and Chrome run in Firejail and Teams plus Evolution in (stripped) Flatpak. Evolution uses Bubblewrap to sandbox the HTML renderer and is itself also sandboxed in Flatpak. The programmer uses Fedora.
Last edited:
You might be interested:
Copy Fail — 732 Bytes to Root
even though the exploit is currently only available locally.
Copy Fail — 732 Bytes to Root
even though the exploit is currently only available locally.
Interesting nevertheless
Yes.
Please verify this and apply the recommended mitigation measures at the end of the article.
Already done on endpoints as i knew about it much earlier.Yes.
Please verify this and apply the recommended mitigation measures at the end of the article.
@LinuxFan58
I noticed that you requested the NoVirusTanks extension to block “py” as well.
As a precaution, I would block “py” via uBoL.
I noticed that you requested the NoVirusTanks extension to block “py” as well.
As a precaution, I would block “py” via uBoL.
Thanks. I can add custom file extensions in NVT API void. On top of that the execute bit has to be set first in Linux for scripts to run as far as I know.@LinuxFan58
I noticed that you requested the NoVirusTanks extension to block “py” as well.
As a precaution, I would block “py” via uBoL.
Made a 180 (again )
Because I switched from Brave in Flatpak (adds a horizontal layer, but breaks Chrome vertical sandboxing) to Chrome in Firejail (keeps Chrome's internal sandbox in tact and adds a less restricted horizontal layer), I switched back from CloudFlare Zero Trust to ControlD free with OISD and using two browser profiles.
Because I discovered the Safe browsing v5 API flag (link) and read about NVT Api Void Browser Protection on MT, so I decided to drop my free URL filtering browsing protection extension and translated some ideas of NVT to extra protection rules in uBol with different TLD rules for work and surfing.
Main differences between work and surfing browsing profiles:
(again )Because I switched from Brave in Flatpak (adds a horizontal layer, but breaks Chrome vertical sandboxing) to Chrome in Firejail (keeps Chrome's internal sandbox in tact and adds a less restricted horizontal layer), I switched back from CloudFlare Zero Trust to ControlD free with OISD and using two browser profiles.
Because I discovered the Safe browsing v5 API flag (link) and read about NVT Api Void Browser Protection on MT, so I decided to drop my free URL filtering browsing protection extension and translated some ideas of NVT to extra protection rules in uBol with different TLD rules for work and surfing.
Main differences between work and surfing browsing profiles:
- Theme
Work has 'Chrome classic darker blue' and Surfing has 'Simple red' theme for visual feedback which profile I am using. - Site permissions
Work set some permission related to MS Teams to ask (camera, mic, window management, scroll and zoom), Surfing has all on block. - uBlock Origin Lite filters
Work only has custom rules with Kees1958 (as adviced by ChatGPT) and Surfing has Easylist & EasyPrivacy, uBol and AG URL tracking enabled.
Last edited:
....So Chrome is faster than Brave.
Just as expected.
Just as expected.
Yes but Flatpak (sandbox) is faster than Firejail (sandbox), so the benchmark difference is even more than the difference in posted results, but to put things in perspective ...
Firefox is 30 (Brave) to 40 (Chrome) percent slower in Speedometer benchmark, but that is usually only 0.1 second or less in website load time when testing with page speed insights (and that benchmark is written by Chrome, so probably gives Chrome a slight advantage over other browsers like Firefox and Safari). People probably don't notice a 0.1 second load difference, making Firefox feel as fast as Chrome and when you prefer Firefox you probably think Firefox is faster
Last edited:
You may also like...
-
Ubuntu, Fedora, Linux Mint Eye Age Verification Amid California Law Backlash- Started by lokamoka820
- Replies: 1
-
Dedoimedo: MX Linux MX-25 Infinity Xfce - Jolly but not too chipper- Started by Gandalf_The_Grey
- Replies: 3
-
Dedoimedo: Linux Mint 22.1 Xia Cinnamon review - Reasonable, rounded
- Started by Gandalf_The_Grey
- Replies: 0
-
-
Linux Mint Is Getting a Night Light Feature in Cinnamon, Framework Laptop Support
- Started by lokamoka820
- Replies: 4