Configure the firewall to deny incomming ports. Then, if you want outsiders to be able to make connections to an SSH port, Apache server, sharred folder, etc. on your machine open just the ports you need for your services. Most folks don't expose services on ports to network machines, particularly on public networks. So your public profile could be setup to deny all incomming ports.
On the outgoing side, you need port 80, 443, and a few others open or you won't be able to communicate with the the LAN/WAN at all. A middle man hyjacks any outside communication, not by controlling what leaves you computer over over your HTTP(S) ports, but rather, by spoofing your network into thinking the bad guy's machine is a legitimate hop. One way is to convince your machine that his machine is the network router.
So, when you are on a public network, your allowed outgoing ports in your firewall are not your major vulnerability. Being dilligent about not accepting certificate warnings is. Prefer sites that use https protocol. For example, if you connect to Facebook, configure Facebook to require https.
You can, if you wish, lock down all but the necessary outgoing ports. But from time-to-time you will probably be confronted with network share blocks and other needed/wanted networking features until you discover/open the needed outgoing ports.
Outgoing blocks on machines are mostly used to control user access (eg. you don't want your child's user to be able to connect to a remote desktop somewhere.) They can also be used to disrupt some call-home maleware.
One approach that I use on occasional networks, is to deny all in/out ports and, as I go, and selectively open the ones needed. There will be a subsequent post that will say this is totaly unnecessary and paranoid for the average Mint Linux home user... true.
NASA gets hacked and malicious activity does occurr on Linux machines... primarily those that have open incomming ports with direct exposue to the WAN. If you have state secrets (or personal secrets) on your machine, keep them in an encrypted volume. I use Truecrypt. If you do too, then beware. There is a script kidde package called truecarck that can attack a Truecrypt volume if you use AES and a short password. Remember that in public networks, one compromise that benefits the bad guy most is simply stealing your laptop.