What Are Network Ports? Port Numbers Explained

What Is a Network Port?

A network port is a virtual endpoint for network communications. It's a number from 0 to 65535 that identifies a specific process or service on a device. Ports allow a single IP address to run many services simultaneously — your computer can serve a web page on port 80, receive email on port 25, and accept SSH connections on port 22 all at the same time, because each service "listens" on its own port number.

Think of an IP address as a street address for a building and ports as apartment numbers. The building (server) at one street address (IP) has many apartments (ports), each housing a different resident (service). A mail carrier (data packet) with address "123 Main St, Apt 443" goes to the building and knocks on apartment 443, where HTTPS is home.

Ports are defined at the transport layer of the network stack, in the TCP or UDP header of each packet. Every connection has four components: source IP, source port, destination IP, and destination port — together called a "socket." This four-tuple uniquely identifies each network connection, allowing your OS to route responses to the correct application.

TCP vs UDP Ports

Ports exist in two flavors corresponding to the two main transport protocols:

TCP (Transmission Control Protocol) ports — used by applications that require reliable, ordered delivery. TCP establishes a connection (three-way handshake), numbers packets, and retransmits lost ones. TCP ports are used for:

HTTP/HTTPS web browsing (ports 80/443)
Email (ports 25, 587, 993, 995)
SSH (port 22), FTP (ports 20/21), Database connections
Any application where data integrity matters more than speed

UDP (User Datagram Protocol) ports — used by applications that prioritize speed over reliability. UDP sends packets without connection establishment or delivery confirmation. UDP ports are used for:

DNS queries (port 53)
Online gaming (various ports)
VoIP and video streaming (ports vary by application)
DHCP (ports 67/68)
QUIC (HTTP/3) on port 443 UDP

Both TCP and UDP port 53 exist independently — DNS uses both, with UDP for most queries and TCP for large responses. Use our port checker to test whether specific TCP ports are accessible from the internet.

The Three Port Number Ranges

The 65,536 available port numbers (0–65535) are divided into three ranges by the IANA (Internet Assigned Numbers Authority):

Well-Known Ports (0–1023) — reserved for standard system services. On Unix/Linux systems, binding to these ports requires root/administrator privileges. Examples: HTTP (80), HTTPS (443), SSH (22), FTP (21), SMTP (25), DNS (53).
Registered Ports (1024–49151) — assigned by IANA to specific applications, but don't require special OS privileges to use. Examples: MySQL (3306), PostgreSQL (5432), Redis (6379), RDP (3389), IMAP (143).
Dynamic/Ephemeral Ports (49152–65535) — automatically assigned by the operating system for client-side connections. When your browser connects to a server, it uses a temporary ephemeral port for the source port (e.g., your browser connects from port 52847 to the server's port 443). The range varies by OS.

See our complete guide to common port numbers for a reference list of the ports most relevant for network administration and security.

🛡️

Check Your Open Ports Now

Use our free port checker to see which ports on your IP are publicly accessible from the internet

Hide My IP Now

Why Ports Matter for Security

Open ports represent attack surface. Every open port is a running service that could contain vulnerabilities. This is why firewall configuration focuses on allowing only necessary ports and blocking everything else — a principle called "default deny."

Common security practices around ports:

Close unused ports — a port that's open but not needed is pure risk. Disable services you don't use.
Move SSH off port 22 — changing SSH to a non-standard port (e.g., 2222) dramatically reduces automated brute-force attempts in server logs, since most bots only scan port 22.
Use port knocking — keep sensitive ports closed by default, requiring a specific sequence of connection attempts to "unlock" them temporarily.
Audit open ports regularly — use nmap -sS localhost to see what's listening on your machine, or run our port checker to see what's exposed from the internet.
Don't rely on port obscurity alone — changing a port number slows down automated scanners but doesn't stop determined attackers who will run full-range scans.

Port Forwarding and NAT

Most home networks use NAT (Network Address Translation), which maps many internal private IP addresses to a single public IP. By default, NAT blocks all unsolicited incoming connections — your internal devices are not directly reachable from the internet.

Port forwarding punches a hole through NAT, directing traffic arriving at a specific public port to a specific internal device and port. For example, forwarding external port 25565 to 192.168.1.100:25565 allows players on the internet to connect to a Minecraft server running on an internal PC.

To set up port forwarding:

Log into your router's admin interface (typically at 192.168.1.1 or 192.168.0.1)
Find the Port Forwarding section (sometimes under WAN, NAT, or Firewall settings)
Add a rule specifying the external port, internal IP, and internal port
Give the internal device a static DHCP lease so its IP doesn't change
Verify with our port checker that the forwarded port is accessible from the internet

UPnP can automate port forwarding, though it carries security implications worth understanding.

Frequently Asked Questions

How many ports can be open at once?

Technically, up to 65,535 ports per protocol (TCP or UDP) can be open simultaneously on a single IP address. In practice, servers running dozens of services may have 20–50 ports open. For a typical home PC, 5–15 open ports is normal. Use <code>netstat -an</code> to see all open connections and listening ports on your machine.

What does it mean when a port is 'open', 'closed', or 'filtered'?

An open port has a service actively listening and will accept connections. A closed port has no service listening — the OS will respond with a TCP RST (reset), indicating the port exists but nothing is listening. A filtered port doesn't respond at all — usually because a firewall is dropping packets silently. Filtered ports are harder to scan and more secure than closed ones.

Can two programs use the same port at the same time?

Not by default for TCP. Only one process can listen on a given TCP port on a given IP at a time. Attempting to start a second service on an occupied port results in a 'port already in use' error. However, UDP allows multiple programs to listen on the same port using socket options like SO_REUSEPORT, which is used by modern DNS servers for performance.

How do I know which ports to open on my firewall?

Only open ports that correspond to services you intentionally run and need externally accessible. Start from a default-deny stance and add exceptions for specific needs. For a home network: you rarely need any inbound ports open unless you're running a server or game. For web servers: 80 and 443. For SSH: port 22 (or a custom port). Check our <a href="/common-port-numbers">common port numbers guide</a> for reference.

📖 Common Port Numbers Every Admin Should Know 📖 How to Check Open Ports on Your Network 📖 What Is UPnP? Universal Plug and Play Explained