## POST /api/v2/vps/{id}/firewall **Add VPS firewall rule** Add one inbound firewall rule to a VPS. This customer-facing v2 route manages inbound allow/drop/reject rules only, so request `type` must be `in`. Outbound rules or shared firewall-group references may appear in the read response from upstream, but they are not created through this per-VPS write endpoint. Read the firewall list first to check `actions.canAddRule` and rule limits. The create response may have `pos: null`; re-read `GET /api/v2/vps/{id}/firewall` to get authoritative positions before editing or deleting. ### Related Endpoints - `GET /api/v2/vps/{id}/firewall`: List VPS firewall rules - `PUT /api/v2/vps/{id}/firewall/{pos}`: Replace VPS firewall rule - `DELETE /api/v2/vps/{id}/firewall/{pos}`: Delete VPS firewall rule ### Headers - `Accept`: application/json - `Authorization`: Bearer YOUR_API_KEY - Required API scope: `write:vm` - `Content-Type`: application/json ### Parameters - `id` (path, string, required): Public VPS ID from `GET /api/v2/vps` `data[].id`. Do not invent this value; use the exact ID returned by the referenced API response. Example: `vps_01hxa3b4c5d6e7f8g9h0j1k2m3` ### Request Body - `type` (string, required): Inbound rule. Per-VPS v2 firewall writes do not create outbound rules or firewall-group references. Example: `in` Allowed values: in - `action` (string, required) Example: `ACCEPT` Allowed values: ACCEPT, DROP, REJECT - `enabled` (boolean, optional): Omit to keep the platform default for newly staged rules; send true to enable immediately. Example: `true` - `proto` (string,null, optional) Example: `tcp` - `dport` (string,null, optional) Example: `22` - `sport` (string,null, optional) Example: `null` - `source` (string,null, optional) Example: `198.51.100.10` - `dest` (string,null, optional) Example: `null` - `description` (string,null, optional) Example: `Allow SSH from office` ### Request Examples #### Allow SSH from office ```bash curl -X POST "https://cloud.hostup.se/api/v2/vps/vps_01hxa3b4c5d6e7f8g9h0j1k2m3/firewall" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "type": "in", "action": "ACCEPT", "enabled": true, "proto": "tcp", "dport": "22", "source": "198.51.100.10", "description": "Allow SSH from office" }' ``` ```json { "type": "in", "action": "ACCEPT", "enabled": true, "proto": "tcp", "dport": "22", "source": "198.51.100.10", "description": "Allow SSH from office" } ``` ### Response Schema - `pos` (integer,null, required) Example: `0` - `type` (string,null, required): Created per-VPS rules are inbound. The list endpoint can still show read-only `out` or `group` rules that already exist upstream. Example: `in` Allowed values: in, - `action` (string,null, required) Example: `ACCEPT` Allowed values: ACCEPT, DROP, REJECT, - `enabled` (boolean, required) Example: `true` - `proto` (string,null, required) Example: `tcp` - `dport` (string,null, required) Example: `22` - `sport` (string,null, required) Example: `null` - `source` (string,null, required) Example: `198.51.100.10` - `dest` (string,null, required) Example: `null` - `description` (string,null, required) Example: `Allow SSH from office` - `isSystem` (boolean, required) Example: `false` - `editable` (boolean, required) Example: `true` ### Responses #### 201 - Firewall rule created. ```json { "pos": null, "type": "in", "action": "ACCEPT", "enabled": true, "proto": "tcp", "dport": "22", "sport": null, "source": "198.51.100.10", "dest": null, "description": "Allow SSH from office", "isSystem": false, "editable": true } ``` #### 400 - Invalid request. The response body is an RFC 7807 Problem Details document. ```json { "type": "https://developer.hostup.se/errors/invalid_request", "title": "Invalid request", "status": 400, "detail": "The request body failed validation.", "code": "invalid_request", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z", "errors": [ { "pointer": "/items/0/domainName", "detail": "`domainName` is required.", "code": "invalid_request" } ] } ``` #### 401 - Unauthorized. Authentication is required. ```json { "type": "https://developer.hostup.se/errors/unauthorized", "title": "Unauthorized", "status": 401, "detail": "Authentication is required.", "code": "unauthorized", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 403 - Forbidden. The caller lacks a required scope or does not own the resource. ```json { "type": "https://developer.hostup.se/errors/forbidden", "title": "Forbidden", "status": 403, "detail": "The caller lacks a required scope or does not own the resource.", "code": "forbidden", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 404 - Not found. The resource does not exist or is not owned by the caller. ```json { "type": "https://developer.hostup.se/errors/not_found", "title": "Not found", "status": 404, "detail": "The requested resource could not be found.", "code": "not_found", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 429 - Rate limited. Retry after the limit resets. 429 responses include `Retry-After` seconds plus `X-RateLimit-*` headers. ```json { "type": "https://developer.hostup.se/errors/rate_limit_exceeded", "title": "Too many requests", "status": 429, "detail": "Too many requests. Retry after the limit resets.", "code": "rate_limit_exceeded", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 500 - Internal error. Retry later or contact support if the issue persists. ```json { "type": "https://developer.hostup.se/errors/internal_error", "title": "Internal server error", "status": 500, "detail": "An unexpected error occurred. Retry later or contact support if the issue persists.", "code": "internal_error", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ```