I have 13.10 installed (as a host OS) and its running great. I setup a VPN connection to be able to securely update the host OS from time to time. The VPN connection works fine but I won't be using it except for those times when I want to update the host, virtualbox, etc.. (about monthly). My internet activity will be pfsense VM's and linux VMs beyond the host. Back to the linux host: while it likely is not needed, I wanted to disconnect/lock the host except for of course grabbing the router, which will allow pfsense to do its thing. I was thinking about using GUFW for the task of locking down the host. My initial thoughts are setting everything to deny and then adding two rules. Do you guys think setting allow via advanced rules to LAN only would work? I would add two advanced allow rules. The normal LAN IP so the machine can find the router, and if needed the LAN2 IP (LAN2= pfsense LAN). Would locking down to only LAN keep the host from "accidentally" ever going out on the internet? I would simply disable the host firewall while I was updating the host, and again that would be monthly or less. I want to use GUFW because its gui and simple and others can easily replicate the process if they wanted to copy this. I am not concerned about pfsense or beyond for the purpose of this thread. It will be a day or so until I build the pfsense vm(s) so I can't check this out yet. Looking for thoughts on the subject. Would my proposal seem reasonable to you guys, or what/how would you go about this?