Hello,
are there plans to implement "everything" that SuSEfirewall2 did under the hood, with firewalld or other mechanisms?
not everything. It's a best effort approach. I would say the aim is to be able to migrate typical use cases without much troubles. Not all features that SF2 provides are still relevant today or they cause complexities that are difficult to manage. firewalld on the other also provides features that SF2 does not have. A clean and well defined interface for example.
I liked how SF2 created the LOG rules for each services enabled and would hate to see it go away.
SF2 allowed very complex LOG rule setups. firewalld only allows to generally log dropped/rejected packets independently of the involved service. You can still add custom LOG rules.
How about the more obscure things like loading kernel modules when FW_KERNEL_SECURITY or FW_LOAD_MODULES are set.
Regarding KERNEL_SECURITY the kernel has improved much in terms of default values. SF2 currently only touches three items: log_martians, accept_source_route and rp_filter. This option also was a source of confusion in the past, because it didn't respect sysctl configuration. It's better to perform these settings explicitly via sysctl in the future. Regarding FW_LOAD_MODULES, firewalld is able to load required modules like nf_conntrack_netbios_ns in a service context. For example if the samba-client service is enabled then this module will implicitly be loaded.
What about "yast firewall", will this be ported? I'm sure there are more, but these are the few that come to mind.
The YaST firewall module will be delayed a bit. There will be a time without a functioning one. As long as you have an X server available you can use the firewall-config GUI instead. Generally I'd like to say that you can also contribute to firewalld to add features that are missing at the moment. I have the impression that the upstream project is a bit thin on man power at the moment. Regards Matthias -- Matthias Gerstner <matthias.gerstner@suse.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg)