## GET /api/v2/vps/{id}/firewall

**List VPS firewall rules**

Return VPS firewall protection state, rules, rule limits, and action gates. Get `{id}` from `GET /api/v2/vps`. Use `rules[].pos` as `{pos}` for rule update/delete only when `rules[].editable` is `true`. Per-VPS v2 writes manage inbound rules only: `type: "in"` can be editable, while upstream `type: "out"` rules and `type: "group"` shared/group references are read-only on this endpoint.

### Related Endpoints

- `POST /api/v2/vps/{id}/firewall`: Add VPS firewall rule
- `PUT /api/v2/vps/{id}/firewall/{pos}`: Replace VPS firewall rule
- `DELETE /api/v2/vps/{id}/firewall/{pos}`: Delete VPS firewall rule

### Headers

- `Accept`: application/json
- `Authorization`: Bearer YOUR_API_KEY
- Required API scope: `read:vm`

### Parameters

- `id` (path, string, required): Public VPS ID from `GET /api/v2/vps` `data[].id`. Do not invent this value; use the exact ID returned by the referenced API response. Example: `vps_01hxa3b4c5d6e7f8g9h0j1k2m3`

### Request Example

```bash
curl -X GET "https://cloud.hostup.se/api/v2/vps/vps_01hxa3b4c5d6e7f8g9h0j1k2m3/firewall" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"
```

### Response Schema

- `available` (boolean, required) Example: `true`
- `reason` (string,null, required) Example: `null`
- `enabled` (boolean, required) Example: `true`
- `summary` (string,null, required) Example: `Firewall protection is on. Incoming traffic must match an allow rule to pass.`
- `detail` (string,null, required) Example: `Traffic that does not match one of the rules below is blocked before it reaches the VM.`
- `limits` (object, required)
- `limits.maxRules` (integer, required) Example: `100`
- `limits.currentRules` (integer, required) Example: `1`
- `limits.remainingRules` (integer, required) Example: `99`
- `rules` (array<object>, required)
- `rules[].pos` (integer,null, required) Example: `0`
- `rules[].type` (string,null, required): `in` is the customer-writable inbound rule type. `out` and `group` can appear from upstream reads but are read-only through this per-VPS endpoint. Example: `in`
  Allowed values: in, out, group, 
- `rules[].action` (string,null, required) Example: `ACCEPT`
  Allowed values: ACCEPT, DROP, REJECT, 
- `rules[].enabled` (boolean, required) Example: `true`
- `rules[].proto` (string,null, required) Example: `tcp`
- `rules[].dport` (string,null, required) Example: `22`
- `rules[].sport` (string,null, required) Example: `null`
- `rules[].source` (string,null, required) Example: `198.51.100.10`
- `rules[].dest` (string,null, required) Example: `null`
- `rules[].description` (string,null, required) Example: `Allow SSH from office`
- `rules[].isSystem` (boolean, required) Example: `false`
- `rules[].editable` (boolean, required) Example: `true`
- `ruleCount` (integer, required) Example: `1`
- `actions` (object, required)
- `actions.canAddRule` (object, required)
- `actions.canAddRule.allowed` (boolean, required) Example: `true`
- `actions.canAddRule.reason` (string,null, required) Example: `null`
- `actions.canAddRule.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order`
- `actions.canToggleFirewall` (object, required)
- `actions.canToggleFirewall.allowed` (boolean, required) Example: `true`
- `actions.canToggleFirewall.reason` (string,null, required) Example: `null`
- `actions.canToggleFirewall.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order`

### Responses

#### 200 - VPS firewall state and rules.
```json
{
  "available": true,
  "reason": null,
  "enabled": true,
  "summary": "Firewall protection is on. Incoming traffic must match an allow rule to pass.",
  "detail": "Traffic that does not match one of the rules below is blocked before it reaches the VM.",
  "limits": {
    "maxRules": 100,
    "currentRules": 1,
    "remainingRules": 99
  },
  "rules": [
    {
      "pos": 0,
      "type": "in",
      "action": "ACCEPT",
      "enabled": true,
      "proto": "tcp",
      "dport": "22",
      "sport": null,
      "source": "198.51.100.10",
      "dest": null,
      "description": "Allow SSH from office",
      "isSystem": false,
      "editable": true
    }
  ],
  "ruleCount": 1,
  "actions": {
    "canAddRule": {
      "allowed": true,
      "reason": null
    },
    "canToggleFirewall": {
      "allowed": true,
      "reason": null
    }
  }
}
```

#### 400 - Invalid request. The response body is an RFC 7807 Problem Details document.
```json
{
  "type": "https://developer.hostup.se/errors/invalid_request",
  "title": "Invalid request",
  "status": 400,
  "detail": "The request body failed validation.",
  "code": "invalid_request",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z",
  "errors": [
    {
      "pointer": "/items/0/domainName",
      "detail": "`domainName` is required.",
      "code": "invalid_request"
    }
  ]
}
```

#### 401 - Unauthorized. Authentication is required.
```json
{
  "type": "https://developer.hostup.se/errors/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Authentication is required.",
  "code": "unauthorized",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z"
}
```

#### 403 - Forbidden. The caller lacks a required scope or does not own the resource.
```json
{
  "type": "https://developer.hostup.se/errors/forbidden",
  "title": "Forbidden",
  "status": 403,
  "detail": "The caller lacks a required scope or does not own the resource.",
  "code": "forbidden",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z"
}
```

#### 404 - Not found. The resource does not exist or is not owned by the caller.
```json
{
  "type": "https://developer.hostup.se/errors/not_found",
  "title": "Not found",
  "status": 404,
  "detail": "The requested resource could not be found.",
  "code": "not_found",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z"
}
```

#### 429 - Rate limited. Retry after the limit resets. 429 responses include `Retry-After` seconds plus `X-RateLimit-*` headers.
```json
{
  "type": "https://developer.hostup.se/errors/rate_limit_exceeded",
  "title": "Too many requests",
  "status": 429,
  "detail": "Too many requests. Retry after the limit resets.",
  "code": "rate_limit_exceeded",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z"
}
```

#### 500 - Internal error. Retry later or contact support if the issue persists.
```json
{
  "type": "https://developer.hostup.se/errors/internal_error",
  "title": "Internal server error",
  "status": 500,
  "detail": "An unexpected error occurred. Retry later or contact support if the issue persists.",
  "code": "internal_error",
  "instance": "/api/v2/resource",
  "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "timestamp": "2026-04-27T12:34:56.000Z"
}
```