What Are Network Ports?
A port is a 16-bit number (0–65535) that identifies a specific process or service on a device, sitting alongside the IP address to form a complete socket. The IP address gets a packet to the right machine; the port number gets it to the right application on that machine. A single server can run a web server on port 80, an SSH daemon on port 22, and a mail server on port 25 simultaneously — the port number is what keeps their traffic from colliding.
Port numbers are governed by RFC 6335, which defines the IANA Service Name and Transport Protocol Port Number Registry and splits the 65,536 possible ports into three ranges:
- System / well-known ports (0–1023): Reserved by IANA for core internet services — HTTP, HTTPS, SSH, DNS, SMTP. On Unix-like systems, binding to a port in this range requires root or elevated privileges.
- User / registered ports (1024–49151): IANA-registered but not privileged. This is where most application and database servers live — MySQL (3306), RDP (3389), PostgreSQL (5432).
- Dynamic / ephemeral ports (49152–65535): Never assigned to a fixed service. The OS hands one of these out temporarily whenever a client opens an outbound connection, and it's released once the connection closes.
The full, authoritative list — updated continuously — lives in the IANA Service Name and Port Number Registry. Everything in the reference table below is drawn from that registry, cross-checked against current vendor documentation.
How Do Port Numbers Work?
Every TCP or UDP connection is uniquely identified by a 4-tuple: source IP, source port, destination IP, destination port. When your browser requests https://example.com, it opens a connection from an ephemeral source port (say, 51342) on your machine to destination port 443 on the server. The server's response comes back to that same ephemeral port, so your OS knows which browser tab it belongs to — not port 443 on your own machine.
TCP and UDP maintain separate port namespaces. Port 53/TCP (DNS zone transfers) and port 53/UDP (standard DNS queries) are two different sockets that happen to share a number — a service can bind to one without touching the other. That's why the reference table below lists a protocol column: the same number means different things on TCP versus UDP for services like DNS and DHCP.
A worked example — a client opening two connections to the same HTTPS server looks like this on the server side:
Proto Local Address Foreign Address State
tcp 203.0.113.10:443 198.51.100.22:51342 ESTABLISHED
tcp 203.0.113.10:443 198.51.100.22:52108 ESTABLISHED
Same destination port (443), two different foreign (client) ports — that's how one web server handles thousands of simultaneous connections on a single port number.
Common Network Ports Reference Table
| Port | Protocol | Service | Description |
|---|---|---|---|
| 20/21 | TCP | FTP | File Transfer Protocol — 20 is data, 21 is control. Unencrypted; superseded by SFTP/FTPS. |
| 22 | TCP | SSH / SFTP | Secure Shell — encrypted remote login, command execution, and secure file transfer. |
| 23 | TCP | Telnet | Unencrypted remote login. Legacy only — credentials pass in plaintext. |
| 25 | TCP | SMTP | Mail server-to-server relay. Most ISPs block outbound 25 to fight spam. |
| 53 | TCP/UDP | DNS | UDP for standard queries (<512 bytes); TCP for zone transfers and large/DNSSEC responses. |
| 67/68 | UDP | DHCP | Server (67) and client (68) — automatic IP address assignment. |
| 69 | UDP | TFTP | Trivial File Transfer Protocol — no authentication, used for network boot/config. |
| 80 | TCP | HTTP | Unencrypted web traffic. |
| 88 | TCP/UDP | Kerberos | Network authentication protocol used heavily in Active Directory. |
| 110 | TCP | POP3 | Retrieves mail and typically deletes it from the server after download. |
| 123 | UDP | NTP | Network Time Protocol — clock synchronization. |
| 143 | TCP | IMAP | Retrieves mail while keeping it synced on the server across devices. |
| 161/162 | UDP | SNMP | Network device monitoring (161 queries, 162 traps/alerts). |
| 389 | TCP/UDP | LDAP | Directory service queries — user/group lookups in AD and other directories. |
| 443 | TCP/UDP | HTTPS | Encrypted web traffic (TLS). UDP/443 carries HTTP/3 over QUIC. |
| 445 | TCP | SMB | Windows file and printer sharing. High-value attack target — see below. |
| 465 | TCP | SMTPS | SMTP over implicit TLS, commonly used for authenticated mail submission. |
| 514 | UDP | Syslog | Unencrypted log forwarding to a centralized log server. |
| 587 | TCP | SMTP Submission | The standard port for authenticated outbound mail from clients (per RFC 6409). |
| 993 | TCP | IMAPS | IMAP over implicit TLS. |
| 995 | TCP | POP3S | POP3 over implicit TLS. |
| 1433 | TCP | MSSQL | Microsoft SQL Server default listener port. |
| 1521 | TCP | Oracle DB | Oracle database default listener port. |
| 3306 | TCP | MySQL | MySQL / MariaDB default port. |
| 3389 | TCP/UDP | RDP | Windows Remote Desktop Protocol. High-value attack target — see below. |
| 5432 | TCP | PostgreSQL | PostgreSQL default port. |
| 5900 | TCP | VNC | Virtual Network Computing remote desktop. |
| 6379 | TCP | Redis | Redis default port — unauthenticated by default in older versions. |
| 8080 | TCP | HTTP-Alt | Common alternate HTTP port for proxies, dev servers, and app servers. |
| 8443 | TCP | HTTPS-Alt | Common alternate HTTPS port for admin panels and app servers. |
| 27017 | TCP | MongoDB | MongoDB default port. |
Ports 80, 443, 22, and 53 account for the large majority of general internet traffic; everything from 1024 up is either a registered application port or a temporary one your OS assigned for an outbound connection.
Which Ports Are High-Risk and Should Never Be Exposed?
Not every port on this list is safe to leave open to the internet. A handful carry a track record of remote-exploitation that makes internet-facing exposure a direct incident risk:
- 445 (SMB): Windows file sharing. The MS17-010 vulnerability in SMBv1 was the entry point for the 2017 WannaCry and NotPetya outbreaks — Microsoft's own guidance is to block inbound/outbound SMB (ports 445, 139, 137, 138) at the network perimeter.
- 3389 (RDP): Windows Remote Desktop. CVE-2019-0708 ("BlueKeep") is a wormable, pre-authentication remote code execution flaw in RDP; CISA's guidance is to never expose RDP directly to the internet — put it behind a VPN or an RD Gateway with MFA instead.
- 23 (Telnet): Sends credentials in cleartext. There is no legitimate reason to expose this externally in 2026 — use SSH (22).
- 3306 / 5432 / 1433 / 27017 / 6379 (database ports): MySQL, PostgreSQL, MSSQL, MongoDB, and Redis are designed to be reached by application servers on a private network, not the public internet. Exposing a database port directly is one of the most common causes of ransomware-driven data-wipe attacks against misconfigured cloud instances.
- 69 (TFTP) and 514 (Syslog): Both are unauthenticated by design. They belong on isolated management VLANs, never on a public interface.
The rule of thumb: if a port carries authentication, file access, or a database protocol, it should sit behind a VPN, bastion host, or firewall allow-list — not a public IP. Run your own perimeter against this list with the Port Scanner to confirm nothing on this shortlist is reachable from outside your network.
How Do You Check Which Ports Are Open?
On Linux, list listening sockets with process names:
ss -tulpn
# -t TCP -u UDP -l listening only -p show process -n numeric ports
sudo netstat -tulpn
On macOS, netstat doesn't show process names by default — use lsof:
sudo lsof -i -P -n | grep LISTEN
On Windows (PowerShell), list active TCP connections with owning process:
Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess
Or the classic:
netstat -ano
To check whether a specific remote port is reachable (not just locally listening), test the connection directly:
nmap -p 22,80,443,3389 203.0.113.10
Test-NetConnection -ComputerName 203.0.113.10 -Port 443
A port scan against a well-configured host should show filtered or closed for anything not intentionally exposed, and open only for the services you meant to publish. Run the same check from outside your network with the Port Scanner — a locally-run netstat only tells you what's listening, not what's actually reachable past your firewall or NAT.
Common Port Errors and What They Mean
"Connection refused" — A device answered at that IP, but nothing is listening on the port you targeted (or a firewall actively rejected the packet with an RST). Fix: confirm the service is running and bound to the expected interface, not just 127.0.0.1.
"Connection timed out" — No response at all; usually a firewall silently dropping the packet, an unreachable host, or a NAT/routing gap. Fix: check the firewall rule chain in both directions and confirm the route with a traceroute.
"Filtered" in a port scan — The scanner can't tell if the port is open or closed because something (a firewall, an IDS) is dropping probe packets without a response. This is the expected, correct state for any port you haven't deliberately opened.
Address already in use (bind failure) — Another process already holds that port on the local machine. Fix: find the owning process with ss -tulpn or lsof -i :PORT and stop or reconfigure it before the new service can bind.
Port open but the application still doesn't respond — The transport layer is fine; the failure is in the application itself (wrong vhost, expired TLS cert, application crash). Rule out the network layer first with a plain connection test, then check the app's own logs.
Key Takeaways
- ✓ Ports 0–1023 are IANA well-known ports, 1024–49151 are registered, and 49152–65535 are dynamic/ephemeral, per RFC 6335.
- ✓ TCP and UDP keep separate port namespaces — port 53/UDP and 53/TCP are distinct sockets that serve different DNS functions.
- ✓ 445 (SMB) and 3389 (RDP) have documented wormable RCE histories (MS17-010, CVE-2019-0708) and should never face the public internet directly.
- ✓ Database ports (3306, 5432, 1433, 27017, 6379) belong on a private network, reachable only by application servers — not the internet.
- ✓ "Filtered" is the correct, expected result for a port scan against anything you haven't deliberately published.
Frequently Asked Questions
Q: What port does HTTPS use?
HTTPS uses TCP port 443 for standard TLS connections. As of 2026, browsers and servers supporting HTTP/3 also use UDP port 443 for QUIC-based connections, so 443 now carries both TCP and UDP traffic depending on protocol support.
Q: What is the difference between a well-known port and a registered port?
Well-known ports (0–1023) are IANA-reserved for core internet services like HTTP and SSH and require elevated privileges to bind on most operating systems. Registered ports (1024–49151) are documented with IANA but aren't privileged — this range covers most database and application servers.
Q: Why do some ports show as "filtered" instead of "open" or "closed"?
"Filtered" means a firewall or filtering device is dropping the scan probes without sending a response, so the scanner can't confirm the port's true state. This is normal and expected for any port you haven't intentionally exposed.
Q: Is it safe to leave port 22 (SSH) open to the internet?
SSH itself is encrypted and reasonably safe to expose, but it's a constant brute-force target. Reduce risk by disabling password authentication in favor of key-based auth, moving it off the default port as one layer of noise reduction, and rate-limiting or fail2ban-ing failed login attempts.
Q: What port does DNS use, and why does it matter that it's both TCP and UDP?
DNS uses UDP port 53 for standard queries under 512 bytes and TCP port 53 for zone transfers, DNSSEC responses, and any response too large for UDP. A firewall that blocks TCP/53 while allowing UDP/53 will cause intermittent DNS failures on large or DNSSEC-signed responses — check both with the DNS Lookup tool.
Q: Which ports should a home router never have open to the internet?
At minimum, block inbound 23 (Telnet), 445 (SMB), 3389 (RDP), and any database port (3306, 5432, 1433) at the router. Most consumer routers don't forward these by default — the risk is usually a manual port-forward rule added for remote access and never removed. See the Home Network Security Guide for a full router hardening checklist.
Q: What's the difference between port 20 and port 21 in FTP?
Port 21 is the FTP control channel — it handles authentication and commands. Port 20 is the data channel used in active-mode FTP to actually transfer file contents. Passive-mode FTP (the modern default) negotiates a different data port instead of using 20 directly.
Next Steps
Cross-reference this table against your own network before trusting it in production. Run an external scan with the Port Scanner to see which ports are actually reachable from outside your firewall — don't assume a rule you set months ago is still in effect. If you're mapping out subnet ranges or firewall rules, pair it with the Subnet Calculator, and use IP Lookup or What Is My IP to confirm which address you're actually testing from.
For the concepts behind the numbers, see CIDR & Subnetting Explained, How to Read a Traceroute, and What Is a Network Security Key? — and if a connection is timing out rather than refusing, walk the path with the Ping Test or Traceroute tools before assuming it's a port problem at all.