The Container Firewall API controls ingress (inbound) and egress (outbound) network traffic for a container. Use these endpoints to list, add, toggle, remove, and reset firewall rules. Each container has independent rule sets for inbound and outbound traffic, and rules default to state: "enabled" when created.
Firewall rules are identified by their matching fields (protocol, ports, source/destination). To uniquely target a rule, provide enough filter fields in the request body to match a single rule.
Rules share a common shape across all endpoints:
Field Type Description actionstring One of "allow", "reject", or "drop" protocolstring One of "tcp", "udp", or "icmp4" descriptionstring Human-readable rule description destination_portstring Port number, range (80-90), or comma-separated list (80,443). Required for TCP/UDP. sourcestring Source IPv4 address or CIDR range (ingress only) destinationstring Destination IPv4 address or CIDR range (egress only) source_portstring Source port filter (rarely used) statestring "enabled" or "disabled". Defaults to "enabled".icmp_typestring ICMP type number (icmp4 protocol only) icmp_codestring ICMP code number (icmp4 protocol only)
Get all ingress and egress firewall rules for a container.
Name In Type Required Description idpath string Yes Container ID
const { data } = await client . api . firewall . listIterator ( {
curl -X GET " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/rules " \
-H " Authorization: Bearer <token> "
"message" : " Firewall rules retrieved successfully " ,
"description" : " Allow HTTPS traffic " ,
"destination_port" : " 443 " ,
"description" : " Allow ping from any source " ,
"description" : " Allow outbound HTTPS " ,
"destination_port" : " 443 " ,
"destination" : " 0.0.0.0/0 " ,
"description" : " Block outbound SMTP " ,
"destination_port" : " 25 " ,
"destination" : " 0.0.0.0/0 " ,
"message" : " Authentication token required "
Error Code Title Description Resolution MISSING_TOKENAuthentication token missing No authentication token was provided in the request Include a valid JWT token in the Authorization header as Bearer <token> INVALID_TOKENInvalid authentication token The provided authentication token is malformed or invalid Obtain a new token by logging in again or using a valid auth token
"message" : " Insufficient permissions "
Error Code Title Description Resolution INSUFFICIENT_PERMISSIONSInsufficient permissions You do not have the required permissions to perform this action Contact the resource owner or administrator to request access
"message" : " Container not found "
Error Code Title Description Resolution CONTAINER_NOT_FOUNDContainer not found The requested container does not exist or you do not have permission to access it. Verify the container ID is correct and that you have access to the project it belongs to.
The addEgressRule and addIngressRule endpoints append a single rule to the specified direction. If an equivalent rule already exists, the API returns 200 with a duplicate flag in the data; otherwise it returns 201.
Add a new ingress (inbound) firewall rule to a container. Use this endpoint to control which traffic can reach your container. All rules default to state: "enabled" if not specified.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description actionstring Yes One of "allow", "reject", or "drop" protocolstring Yes One of "tcp", "udp", or "icmp4" descriptionstring Yes Human-readable rule description destination_portstring No Port number, range (80-90), or comma-separated list (80,443). Required for TCP/UDP. sourcestring No Source IPv4 address or CIDR range. Use 0.0.0.0/0 for any source. source_portstring No Source port filter (rarely used) statestring No "enabled" or "disabled". Defaults to "enabled".icmp_typestring No ICMP type number (e.g., 8 for echo request/ping) icmp_codestring No ICMP code number
await client . api . firewall . addIngressRule ({
description: " Allow HTTPS " ,
curl -X POST " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"description": "Allow HTTPS",
"destination_port": "443",
"message" : " Ingress rule added successfully " ,
Returned when an equivalent rule already exists.
"message" : " Rule already exists " ,
"message" : " Invalid request body "
"message" : " Container not found "
Add a new egress (outbound) firewall rule to a container. Use this endpoint to control which traffic your container can send. All rules default to state: "enabled" if not specified.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description actionstring Yes One of "allow", "reject", or "drop" protocolstring Yes One of "tcp", "udp", or "icmp4" descriptionstring Yes Human-readable rule description destination_portstring No Port number, range (80-90), or comma-separated list (80,443). Required for TCP/UDP. destinationstring No Destination IPv4 address or CIDR range. Use 0.0.0.0/0 for any destination. source_portstring No Source port filter (rarely used) statestring No "enabled" or "disabled". Defaults to "enabled".icmp_typestring No ICMP type number icmp_codestring No ICMP code number
await client . api . firewall . addEgressRule ({
description: " Allow outbound HTTPS " ,
curl -X POST " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"description": "Allow outbound HTTPS",
"destination_port": "443",
"destination": "0.0.0.0/0"
"message" : " Egress rule added successfully " ,
Returned when an equivalent rule already exists.
"message" : " Rule already exists " ,
"message" : " Invalid request body "
"message" : " Container not found "
The toggleIngressRule and toggleEgressRule endpoints change the state of an existing rule without deleting it. The body identifies the rule by matching fields and supplies the new state.
Enable or disable an ingress (inbound) firewall rule without deleting it. Provide filters to identify which rule to toggle. Useful for temporarily disabling rules.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description statestring Yes New state: "enabled" or "disabled" actionstring No Filter by action: "allow", "reject", or "drop" protocolstring No Filter by protocol: "tcp", "udp", or "icmp4" destination_portstring No Filter by destination port, range, or list source_portstring No Filter by source port sourcestring No Filter by source IPv4/CIDR descriptionstring No Filter by rule description icmp_typestring No Filter by ICMP type number icmp_codestring No Filter by ICMP code number
await client . api . firewall . toggleIngressRule ({
curl -X PATCH " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"destination_port": "443"
"message" : " Ingress rule state toggled successfully " ,
"description" : " Allow HTTPS traffic " ,
"destination_port" : " 443 " ,
"message" : " Matching ingress rule not found "
Enable or disable an egress (outbound) firewall rule without deleting it. Provide filters to identify which rule to toggle. Useful for temporarily disabling rules.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description statestring Yes New state: "enabled" or "disabled" actionstring No Filter by action: "allow", "reject", or "drop" protocolstring No Filter by protocol: "tcp", "udp", or "icmp4" destination_portstring No Filter by destination port, range, or list source_portstring No Filter by source port destinationstring No Filter by destination IPv4/CIDR descriptionstring No Filter by rule description icmp_typestring No Filter by ICMP type number icmp_codestring No Filter by ICMP code number
await client . api . firewall . toggleEgressRule ({
curl -X PATCH " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"message" : " Egress rule state toggled successfully " ,
"description" : " Allow outbound HTTPS " ,
"destination_port" : " 443 " ,
"destination" : " 0.0.0.0/0 " ,
"message" : " Matching egress rule not found "
The removeIngressRule and removeEgressRule endpoints delete one or more rules. By default, only the first matching rule is removed; pass all: true to remove every rule that matches the supplied filters, or pass all: true alone to remove all rules in that direction.
Remove one or more ingress (inbound) firewall rules. Provide filters to match specific rules, or use all: true to remove all ingress rules. Not equivalent to reset - this only deletes rules and leaves the firewall/ACL attached.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description allboolean No Remove all matching rules (default: first match only). Set to true with no other filters to remove all ingress rules. actionstring No Filter by action: "allow", "reject", or "drop" protocolstring No Filter by protocol: "tcp", "udp", or "icmp4" destination_portstring No Filter by destination port, range, or list sourcestring No Filter by source IPv4/CIDR source_portstring No Filter by source port descriptionstring No Filter by rule description statestring No Filter by state. Defaults to "enabled". icmp_typestring No Filter by ICMP type number icmp_codestring No Filter by ICMP code number
// Remove a specific rule
await client . api . firewall . removeIngressRule ({
// Remove all ingress rules
await client . api . firewall . removeIngressRule ({
curl -X DELETE " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/ingress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"destination_port": "22",
"source": "192.168.1.0/24"
"message" : " Ingress rule removed successfully " ,
"description" : " Allow SSH from office " ,
"destination_port" : " 22 " ,
"source" : " 192.168.1.0/24 " ,
"message" : " Matching ingress rule not found "
Remove one or more egress (outbound) firewall rules. Provide filters to match specific rules, or use all: true to remove all egress rules. Not equivalent to reset - this only deletes rules and leaves the firewall/ACL attached.
Name In Type Required Description idpath string Yes Container ID
Name Type Required Description allboolean No Remove all matching rules (default: first match only). Set to true with no other filters to remove all egress rules. actionstring No Filter by action: "allow", "reject", or "drop" protocolstring No Filter by protocol: "tcp", "udp", or "icmp4" destination_portstring No Filter by destination port, range, or list destinationstring No Filter by destination IPv4/CIDR source_portstring No Filter by source port descriptionstring No Filter by rule description statestring No Filter by state. Defaults to "enabled". icmp_typestring No Filter by ICMP type number icmp_codestring No Filter by ICMP code number
// Remove a specific rule
await client . api . firewall . removeEgressRule ({
// Remove all egress rules
await client . api . firewall . removeEgressRule ({
curl -X DELETE " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/egress " \
-H " Authorization: Bearer <token> " \
-H " Content-Type: application/json " \
"message" : " Egress rules removed successfully " ,
"description" : " Allow outbound HTTPS " ,
"destination_port" : " 443 " ,
"destination" : " 0.0.0.0/0 " ,
"description" : " Allow outbound DNS " ,
"destination_port" : " 53 " ,
"destination" : " 8.8.8.8 " ,
"message" : " Matching egress rule not found "
Delete the ACL and detach the container from the firewall bridge, returning the container to an open network state. Use this when you want to fully disable the firewall rather than remove individual rules.
Name In Type Required Description idpath string Yes Container ID
await client . api . firewall . reset ({
curl -X POST " https://api.hoody.com/api/v1/containers/c_abc123def456/firewall/reset " \
-H " Authorization: Bearer <token> "
"message" : " Firewall reset successfully " ,
"message" : " Container not found "
