- Default firewall module picked for new installs is now firewalld
when will SuSEfirewall2 be migrated to the new firewalld?
...And what happens to users which are relying on Susefirewall2 with custom rules and settings?
The firewalld migration is/will be mandatory/silent or could be decided by the user?
We're in the process of changing the default firewall from SuSEfirewall2 to firewalld for SLE-15 and openSUSE Leap 15. The YaST installer should now be able to enable/disable firewalld and open/close the ssh port for it.
The YaST firewall module will try to start the firewall-config X application for configuring firewalld at the moment. There will be some time without a YaST curses GUI for firewalld. firewalld comes with the firewall-cmd command line tool for configuring it.
There will not be an automated migration path from an old SuSEfirewall2 configuration to a firewalld configuration. There is a package "susefirewall2-to-firewalld" which contains a utility for converting SuSEfirewall2 configurations to firewalld. It's only a supporting tool that tries to do the right thing. But it requires manual interaction and review of the resulting firewall rules.
SuSEfirewall2 can stay in Tumbleweed for the moment but there are no plans to ship it as a legacy module in releases (at least not in SLE-15). SuSEfirewall2 and firewalld can live side by side but the user needs to take care that only one of them is active at any time.
For users that extensively use SuSEfirewall2 with custom rules etc. I recommend to carefully setup new firewall rules using firewalld command line or GUI utilities. firewalld allows to pass raw iptables rules and also so called "rich rules" (proprietary simpler syntax provided by firewalld). These can be used to add custom rules to firewalld that are not otherwise covered by firewalld features.