Add VPS firewall rule

Add one inbound firewall rule to a VPS. This customer-facing v2 route manages inbound allow/drop/reject rules only, so request type must be in. Outbound rules or shared firewall-group references may appear in the read response from upstream, but they are not created through this per-VPS write endpoint. Read the firewall list first to check actions.canAddRule and rule limits. The create response may have pos: null; re-read GET /api/v2/vps/{id}/firewall to get authoritative positions before editing or deleting.

VPS Services Firewall

Authentication

Required API scope: write:vm

Use Authorization: Bearer <token> for API keys. Dashboard sessions may also use hostup_session.

Context

Related endpoints

GET /api/v2/vps/{id}/firewall List VPS firewall rules PUT /api/v2/vps/{id}/firewall/{pos} Replace VPS firewall rule DELETE /api/v2/vps/{id}/firewall/{pos} Delete VPS firewall rule

Path Parameters

id string required Example: vps_01hxa3b4c5d6e7f8g9h0j1k2m3

Public VPS ID from `GET /api/v2/vps` `data[].id`. Do not invent this value; use the exact ID returned by the referenced API response.

Headers

Accept Example

Content-Type Example

Body

required

application/json

type string · enum required · Example: in

Inbound rule. Per-VPS v2 firewall writes do not create outbound rules or firewall-group references.

in

action string · enum required · Example: ACCEPT

ACCEPT

DROP

REJECT

enabled boolean · Example: true

Omit to keep the platform default for newly staged rules; send true to enable immediately.

proto stringnull · Example: tcp

dport stringnull · Example: 22

sport stringnull · Example: null

source stringnull · Example: 198.51.100.10

dest stringnull · Example: null

description stringnull · Example: Allow SSH from office

Responses

201 Firewall rule created.

pos integernull required · Example: 0

type stringnull · enum required · Example: in

Created per-VPS rules are inbound. The list endpoint can still show read-only `out` or `group` rules that already exist upstream.

in

action stringnull · enum required · Example: ACCEPT

ACCEPT

DROP

REJECT

enabled boolean required · Example: true

proto stringnull required · Example: tcp

dport stringnull required · Example: 22

sport stringnull required · Example: null

source stringnull required · Example: 198.51.100.10

dest stringnull required · Example: null

description stringnull required · Example: Allow SSH from office

isSystem boolean required · Example: false

editable boolean required · Example: true

400 Invalid request. The response body is an RFC 7807 Problem Details document.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

401 Unauthorized. Authentication is required.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

403 Forbidden. The caller lacks a required scope or does not own the resource.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

404 Not found. The resource does not exist or is not owned by the caller.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

429 Rate limited. Retry after the limit resets. 429 responses include `Retry-After` seconds plus `X-RateLimit-*` headers.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

500 Internal error. Retry later or contact support if the issue persists.

type string · Example: https://developer.hostup.se/errors/invalid_request

title string · Example: Validation failed

status integer · Example: 400

detail string · Example: The request body failed validation.

code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders

requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3

timestamp string · Example: 2026-04-27T12:34:56.000Z

errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode

errors[].detail string required · Example: `eppCode` is required for this transfer.

errors[].code string required · Example: missing_required

extensions object

POST https://cloud.hostup.se/api/v2/vps/{id}/firewall

For AI assistants

View as Markdown

cURL

curl -X POST "https://cloud.hostup.se/api/v2/vps/vps_01hxa3b4c5d6e7f8g9h0j1k2m3/firewall" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "in",
    "action": "ACCEPT",
    "enabled": true,
    "proto": "tcp",
    "dport": "22",
    "source": "198.51.100.10",
    "description": "Allow SSH from office"
  }'

Response

{
  "pos": null,
  "type": "in",
  "action": "ACCEPT",
  "enabled": true,
  "proto": "tcp",
  "dport": "22",
  "sport": null,
  "source": "198.51.100.10",
  "dest": null,
  "description": "Allow SSH from office",
  "isSystem": false,
  "editable": true
}

{
  "type": "object",
  "properties": {
    "pos": {
      "type": [
        "integer",
        "null"
      ]
    },
    "type": {
      "type": [
        "string",
        "null"
      ],
      "description": "Created per-VPS rules are inbound. The list endpoint can still show read-only `out` or `group` rules that already exist upstream.",
      "enum": [
        "in",
        null
      ]
    },
    "action": {
      "type": [
        "string",
        "null"
      ],
      "enum": [
        "ACCEPT",
        "DROP",
        "REJECT",
        null
      ]
    },
    "enabled": {
      "type": "boolean"
    },
    "proto": {
      "type": [
        "string",
        "null"
      ]
    },
    "dport": {
      "type": [
        "string",
        "null"
      ]
    },
    "sport": {
      "type": [
        "string",
        "null"
      ]
    },
    "source": {
      "type": [
        "string",
        "null"
      ]
    },
    "dest": {
      "type": [
        "string",
        "null"
      ]
    },
    "description": {
      "type": [
        "string",
        "null"
      ]
    },
    "isSystem": {
      "type": "boolean"
    },
    "editable": {
      "type": "boolean"
    }
  }
}

Request Body Allow SSH from office

{
  "type": "in",
  "action": "ACCEPT",
  "enabled": true,
  "proto": "tcp",
  "dport": "22",
  "source": "198.51.100.10",
  "description": "Allow SSH from office"
}