How do I manage firewall configs and ACL rules?
Quick answer
Section titled “Quick answer”The Firewall configs and ACL rules tabs in the Provisioning area
document your network security configuration: a firewall config records
a configuration snapshot as text (type Default or Custom); an ACL
rule describes a single access decision — action (Allow/Deny),
source, destination, port and protocol (TCP/UDP).
Prerequisites
Section titled “Prerequisites”Provisioning is available from the Elite tier.
Instructions
Section titled “Instructions”-
Record a firewall config. Open Provisioning → Firewall configs and click “Add Firewall config”:
- Name (required) — e.g. “DMZ baseline rules”.
- Type (required) —
DefaultorCustom. - Configuration — the rule set as text (e.g. an nftables/iptables excerpt).
- Description (optional).
Screenshot pendingprovisioning-firewall-01Firewall configs tab with the 'Add Firewall config' dialog and configuration text fieldA firewall config as a documented configuration snapshot. -
Create an ACL rule. Switch to ACL rules and click “Add ACL rule”:
- Name (required) — e.g. “HTTPS from LAN to DMZ”.
- Action (required) —
AlloworDeny. - Source / Destination — e.g.
10.0.10.0/24→10.0.20.5. - Port — e.g.
443. - Protocol —
TCPorUDP. - Description (optional).
-
Maintain them. Make changes to existing entries via the pencil icon; an administrator removes outdated entries via the trash icon.
Create a firewall config — POST /api/v1/provisioning/firewall-configs:
curl -X POST https://demo.notory.io/api/v1/provisioning/firewall-configs \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "name": "DMZ Basisregeln", "config_type": "default", "content": "table inet dmz {\n chain input { policy drop; tcp dport { 80, 443 } accept }\n}", "description": "Grundschutz für die DMZ" }'Create an ACL rule — POST /api/v1/provisioning/acl-rules:
curl -X POST https://demo.notory.io/api/v1/provisioning/acl-rules \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "name": "HTTPS aus dem LAN zur DMZ", "action": "allow", "source": "10.0.10.0/24", "destination": "10.0.20.5", "port": 443, "protocol": "tcp", "description": "Zugriff der Clients auf den Web-Proxy" }'{ "id": "acl_9d0e…", "tenant_id": "3d9b0c12-…", "name": "HTTPS aus dem LAN zur DMZ", "action": "allow", "source": "10.0.10.0/24", "destination": "10.0.20.5", "port": 443, "protocol": "tcp", "description": "Zugriff der Clients auf den Web-Proxy", "created_at": "2026-07-08T11:40:00Z", "updated_at": "2026-07-08T11:40:00Z"}Both stores support GET (list/detail), PUT (change) and DELETE
(administrators only).
Possible errors: 401, 403 (Provisioning is not in your tier or no
write access), 404 (entry not found), 422 (validation, e.g. a port
outside 0–65535).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Documentation of the intended configuration: Notory does not distribute firewall configs and ACL rules to devices — they are the documented target state of your network security, which your automation or your workflow implements.
- Tenant isolation & audit: Both stores are tenant-bound; creating, changing and deleting is recorded in the log.
- Auditability: A well-maintained ACL store serves as evidence in audits — see Compliance.