Container Firewall
Section titled “Container Firewall”Manage ingress and egress firewall rules for a container. These endpoints let you list, add, toggle, remove, and reset firewall rules that control inbound and outbound traffic.
Each rule specifies an action (allow, reject, or drop), a protocol (tcp, udp, or icmp4), and matching criteria such as ports and CIDR ranges. Rules default to state: "enabled" when created.
List firewall rules
Section titled “List firewall rules”GET /api/v1/containers/{id}/firewall/rules
Get all ingress and egress firewall rules for a container.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
curl -X GET "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/rules" \ -H "Authorization: Bearer <token>"const { data } = await client.api.firewall.list({ id: "c_abc123def456" });console.log(data.ingress);console.log(data.egress);{ "statusCode": 200, "message": "Firewall rules retrieved successfully", "data": { "ingress": [ { "action": "allow", "protocol": "tcp", "description": "Allow HTTPS traffic", "destination_port": "443", "source": "0.0.0.0/0", "state": "enabled" }, { "action": "allow", "protocol": "icmp4", "description": "Allow ping from any source", "source": "0.0.0.0/0", "state": "enabled", "icmp_type": "8", "icmp_code": "0" } ], "egress": [ { "action": "allow", "protocol": "tcp", "description": "Allow outbound HTTPS", "destination_port": "443", "destination": "0.0.0.0/0", "state": "enabled" }, { "action": "drop", "protocol": "tcp", "description": "Block outbound SMTP", "destination_port": "25", "destination": "0.0.0.0/0", "state": "enabled" } ] }}{ "statusCode": 401, "error": "Unauthorized", "message": "Authentication token required"}| Error Code | Title | Description | Resolution |
|---|---|---|---|
MISSING_TOKEN | Authentication token missing | No authentication token was provided in the request | Include a valid JWT token in the Authorization header as Bearer <token> |
INVALID_TOKEN | Invalid authentication token | The provided authentication token is malformed or invalid | Obtain a new token by logging in again or using a valid auth token |
{ "statusCode": 403, "error": "Forbidden", "message": "Insufficient permissions"}| Error Code | Title | Description | Resolution |
|---|---|---|---|
INSUFFICIENT_PERMISSIONS | Insufficient permissions | You do not have the required permissions to perform this action | Contact the resource owner or administrator to request access |
{ "statusCode": 404, "error": "Not Found", "message": "Container not found"}| Error Code | Title | Description | Resolution |
|---|---|---|---|
CONTAINER_NOT_FOUND | Container not found | The requested container does not exist or you do not have permission to access it. | Verify the container ID is correct and that you have access to the project it belongs to. |
Add ingress rule
Section titled “Add ingress rule”POST /api/v1/containers/{id}/firewall/ingress
Add a new ingress (inbound) firewall rule to a container. Use this endpoint to control which traffic can reach your container. All rules default to state: "enabled" if not specified.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Action to take: allow (permit), reject (deny with response), drop (deny silently). |
protocol | string | Yes | Network protocol. One of tcp, udp, icmp4. |
description | string | Yes | Human-readable rule description. |
destination_port | string | No | Port number, range (e.g. 80-90), or comma-separated list (e.g. 80,443). Required for TCP/UDP. |
source | string | No | Source IPv4 address or CIDR range. Use 0.0.0.0/0 for any source. |
source_port | string | No | Source port filter (rarely used). |
state | string | No | Rule state. One of enabled, disabled. Defaults to enabled. |
icmp_type | string | No | ICMP type number (e.g. 8 for echo request/ping). |
icmp_code | string | No | ICMP code number. |
curl -X POST "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "action": "allow", "protocol": "tcp", "description": "Allow HTTPS", "destination_port": "443", "source": "0.0.0.0/0" }'await client.api.firewall.addIngressRule({ id: "c_abc123def456", data: { action: "allow", protocol: "tcp", description: "Allow HTTPS", destination_port: "443", source: "0.0.0.0/0" }});{ "statusCode": 200, "message": "Rule already exists", "data": {}}{ "statusCode": 201, "message": "Ingress rule added successfully", "data": {}}{ "statusCode": 400, "error": "Bad Request", "message": "Invalid request body"}{ "statusCode": 404, "error": "Not Found", "message": "Container not found"}Add egress rule
Section titled “Add egress rule”POST /api/v1/containers/{id}/firewall/egress
Add a new egress (outbound) firewall rule to a container. Use this endpoint to control which traffic your container can send. All rules default to state: "enabled" if not specified.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Action to take: allow (permit), reject (deny with response), drop (deny silently). |
protocol | string | Yes | Network protocol. One of tcp, udp, icmp4. |
description | string | Yes | Human-readable rule description. |
destination_port | string | No | Port number, range (e.g. 80-90), or comma-separated list (e.g. 80,443). Required for TCP/UDP. |
destination | string | No | Destination IPv4 address or CIDR range. Use 0.0.0.0/0 for any destination. |
source_port | string | No | Source port filter (rarely used). |
state | string | No | Rule state. One of enabled, disabled. Defaults to enabled. |
icmp_type | string | No | ICMP type number. |
icmp_code | string | No | ICMP code number. |
curl -X POST "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "action": "allow", "protocol": "tcp", "description": "Allow outbound HTTPS", "destination_port": "443", "destination": "0.0.0.0/0" }'await client.api.firewall.addEgressRule({ id: "c_abc123def456", data: { action: "allow", protocol: "tcp", description: "Allow outbound HTTPS", destination_port: "443", destination: "0.0.0.0/0" }});{ "statusCode": 200, "message": "Rule already exists", "data": {}}{ "statusCode": 201, "message": "Egress rule added successfully", "data": {}}{ "statusCode": 400, "error": "Bad Request", "message": "Invalid request body"}{ "statusCode": 404, "error": "Not Found", "message": "Container not found"}Toggle ingress rule state
Section titled “Toggle ingress rule state”PATCH /api/v1/containers/{id}/firewall/ingress
Enable or disable an ingress (inbound) firewall rule without deleting it. Provide filters to identify which rule to toggle. Useful for temporarily disabling rules.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
state | string | Yes | New state for the rule. One of enabled, disabled. |
action | string | No | Action for matching traffic. One of allow, reject, drop. Used as a filter. |
protocol | string | No | Protocol type. One of tcp, udp, icmp4. Used as a filter. |
destination_port | string | No | Destination port, range (e.g. 80-90), or list (e.g. 80,443). Used as a filter. |
source_port | string | No | Source port, range, or list. Used as a filter. |
source | string | No | Source IPv4/CIDR address(es). Used as a filter. |
description | string | No | Rule description. Used as a filter. |
icmp_type | string | No | ICMP type number for icmp4 protocol. Used as a filter. |
icmp_code | string | No | ICMP code number for icmp4 protocol. Used as a filter. |
curl -X PATCH "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "state": "disabled", "protocol": "tcp", "destination_port": "443" }'await client.api.firewall.toggleIngressRule({ id: "c_abc123def456", data: { state: "disabled", protocol: "tcp", destination_port: "443" }});{ "statusCode": 200, "message": "Ingress rule state toggled successfully", "data": { "direction": "ingress", "new_state": "disabled", "updated": { "action": "allow", "protocol": "tcp", "description": "Allow HTTPS traffic", "destination_port": "443", "source": "0.0.0.0/0", "state": "disabled" } }}{ "statusCode": 404, "error": "Not Found", "message": "Ingress rule not found"}Toggle egress rule state
Section titled “Toggle egress rule state”PATCH /api/v1/containers/{id}/firewall/egress
Enable or disable an egress (outbound) firewall rule without deleting it. Provide filters to identify which rule to toggle. Useful for temporarily disabling rules.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
state | string | Yes | New state for the rule. One of enabled, disabled. |
action | string | No | Action for matching traffic. One of allow, reject, drop. Used as a filter. |
protocol | string | No | Protocol type. One of tcp, udp, icmp4. Used as a filter. |
destination_port | string | No | Destination port, range (e.g. 80-90), or list (e.g. 80,443). Used as a filter. |
source_port | string | No | Source port, range, or list. Used as a filter. |
destination | string | No | Destination IPv4/CIDR address(es). Used as a filter. |
description | string | No | Rule description. Used as a filter. |
icmp_type | string | No | ICMP type number for icmp4 protocol. Used as a filter. |
icmp_code | string | No | ICMP code number for icmp4 protocol. Used as a filter. |
curl -X PATCH "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "state": "disabled", "protocol": "tcp", "destination_port": "25" }'await client.api.firewall.toggleEgressRule({ id: "c_abc123def456", data: { state: "disabled", protocol: "tcp", destination_port: "25" }});{ "statusCode": 200, "message": "Egress rule state toggled successfully", "data": { "direction": "egress", "new_state": "enabled", "updated": { "action": "allow", "protocol": "tcp", "description": "Allow outbound HTTPS", "destination_port": "443", "destination": "0.0.0.0/0", "state": "enabled" } }}{ "statusCode": 404, "error": "Not Found", "message": "Egress rule not found"}Remove ingress rule(s)
Section titled “Remove ingress rule(s)”DELETE /api/v1/containers/{id}/firewall/ingress
Remove one or more ingress (inbound) firewall rules. Provide filters to match specific rules, or use all: true to remove all ingress rules. Not equivalent to reset — this only deletes rules and leaves the firewall/ACL attached.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
all | boolean | No | Remove all matching rules (default: first match only). Set to true with no other filters to remove all ingress rules. |
action | string | No | Action for matching traffic. One of allow, reject, drop. Used as a filter. |
protocol | string | No | Protocol type. One of tcp, udp, icmp4. Used as a filter. |
destination_port | string | No | Destination port, range (e.g. 80-90), or list (e.g. 80,443). Used as a filter. |
source | string | No | Source IPv4/CIDR address(es). Used as a filter. |
source_port | string | No | Source port, range, or list. Used as a filter. |
description | string | No | Rule description. Used as a filter. |
state | string | No | Rule state. One of enabled, disabled. Defaults to enabled. Used as a filter. |
icmp_type | string | No | ICMP type number for icmp4 protocol. Used as a filter. |
icmp_code | string | No | ICMP code number for icmp4 protocol. Used as a filter. |
curl -X DELETE "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "protocol": "tcp", "destination_port": "22", "source": "192.168.1.0/24" }'await client.api.firewall.removeIngressRule({ id: "c_abc123def456", data: { protocol: "tcp", destination_port: "22", source: "192.168.1.0/24" }});{ "statusCode": 200, "message": "Ingress rule removed successfully", "data": { "direction": "ingress", "removed_count": 1, "removed": [ { "action": "allow", "protocol": "tcp", "description": "Allow SSH from office", "destination_port": "22", "source": "192.168.1.0/24", "state": "enabled" } ] }}{ "statusCode": 404, "error": "Not Found", "message": "Ingress rule not found"}Remove egress rule(s)
Section titled “Remove egress rule(s)”DELETE /api/v1/containers/{id}/firewall/egress
Remove one or more egress (outbound) firewall rules. Provide filters to match specific rules, or use all: true to remove all egress rules. Not equivalent to reset — this only deletes rules and leaves the firewall/ACL attached.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
Request Body
Section titled “Request Body”| Name | Type | Required | Description |
|---|---|---|---|
all | boolean | No | Remove all matching rules (default: first match only). Set to true with no other filters to remove all egress rules. |
action | string | No | Action for matching traffic. One of allow, reject, drop. Used as a filter. |
protocol | string | No | Protocol type. One of tcp, udp, icmp4. Used as a filter. |
destination_port | string | No | Destination port, range (e.g. 80-90), or list (e.g. 80,443). Used as a filter. |
destination | string | No | Destination IPv4/CIDR address(es). Used as a filter. |
source_port | string | No | Source port, range, or list. Used as a filter. |
description | string | No | Rule description. Used as a filter. |
state | string | No | Rule state. One of enabled, disabled. Defaults to enabled. Used as a filter. |
icmp_type | string | No | ICMP type number for icmp4 protocol. Used as a filter. |
icmp_code | string | No | ICMP code number for icmp4 protocol. Used as a filter. |
curl -X DELETE "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "all": true }'await client.api.firewall.removeEgressRule({ id: "c_abc123def456", data: { all: true }});{ "statusCode": 200, "message": "Egress rules removed successfully", "data": { "direction": "egress", "removed_count": 2, "removed": [ { "action": "allow", "protocol": "tcp", "description": "Allow outbound HTTPS", "destination_port": "443", "destination": "0.0.0.0/0", "state": "enabled" }, { "action": "allow", "protocol": "tcp", "description": "Allow outbound DNS", "destination_port": "53", "destination": "8.8.8.8", "state": "enabled" } ] }}{ "statusCode": 404, "error": "Not Found", "message": "Egress rule not found"}Reset container firewall
Section titled “Reset container firewall”POST /api/v1/containers/{id}/firewall/reset
Delete ACL and detach from bridge, returning the container to an open state.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Container ID |
This endpoint takes no request body.
curl -X POST "https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/reset" \ -H "Authorization: Bearer <token>"await client.api.firewall.reset({ id: "c_abc123def456" });{ "statusCode": 200, "message": "Firewall reset successfully", "data": { "rules": { "ingress": [], "egress": [] } }}{ "statusCode": 404, "error": "Not Found", "message": "Container not found"}