Port

Every TCP and UDP packet carries both a source port and a destination port. When your browser connects to a web server, the OS assigns your browser an ephemeral source port (e.g., 54321) and the server listens on destination port 443 (HTTPS). The reply comes back to your IP:54321, which the OS maps back to your browser tab. Multiple browser tabs open simultaneous connections using different ephemeral ports — they all share your one IP address. This combination of IP + port + protocol is called a socket.

Port numbers in the transport layer

TCP and UDP both include 16-bit source and destination port fields in their headers. A 16-bit field gives 65,536 possible values (0–65535). The combination of source IP, source port, destination IP, destination port, and protocol — the 5-tuple — uniquely identifies a single connection or flow on the internet. Two different browser tabs connecting to the same HTTPS server at the same time are differentiated by their different ephemeral source ports even though every other field in the 5-tuple is identical. This is how a single IP address can sustain tens of thousands of simultaneous connections.

Port number ranges

IANA divides the 65,536 ports into three ranges with distinct purposes:

• Well-known ports (0–1023): reserved for standard services defined by IANA. On Unix-like systems, binding to any port below 1024 requires root or CAP_NET_BIND_SERVICE capability — preventing unprivileged processes from impersonating standard services. Examples: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS.
• Registered ports (1024–49151): assigned by IANA to specific applications and services but do not require elevated privileges to bind. Examples: 1433 Microsoft SQL Server, 3306 MySQL, 3389 RDP, 5432 PostgreSQL, 8080 HTTP alternate.
• Dynamic/ephemeral ports (49152–65535): assigned automatically by the OS to outgoing client connections and released when the connection closes. Linux commonly uses 32768–60999 for the ephemeral range. These ports are never used for listening services.

Common port numbers

How firewall rules use port numbers

Firewalls match traffic against rules using the 5-tuple. A typical rule specifies direction (inbound/outbound), protocol (TCP/UDP/any), source IP range, destination IP range, and destination port. For example: "allow TCP from any to 192.168.1.100 on port 443" permits HTTPS connections to a specific server. "Deny TCP from any to any on port 23" blocks all Telnet. Rules are evaluated in order — the first matching rule wins. Port-based filtering is the most common firewall primitive, though next-generation firewalls add application-layer identification on top of port matching.

Port forwarding: hosting a server behind NAT

NAT hides all LAN devices behind one public IP. When an inbound connection arrives at your public IP, the router does not know which LAN device to deliver it to — unless you have created a port forward. A port forward rule says: "incoming TCP connections on public port 8443 → forward to 192.168.1.100 port 443." From the internet, visitors connect to your public IP on port 8443 and are transparently routed to the internal server. Port forwarding is used for self-hosting web servers, game servers, remote access tools, IP cameras, and any service that must accept inbound connections. Each forwarded port increases your network's exposure, so only forward ports actively in use and close them when the service is decommissioned.

Port scanning with nmap

Port scanning probes a host to discover which TCP/UDP ports are open — accepting connections — versus closed (connection refused) or filtered (no response, likely firewalled). The most common tool is nmap. nmap -sV 192.168.1.1 performs a service version scan against a host, connecting to open ports and querying them to identify the service and version running. nmap -sS performs a "SYN scan" — a half-open scan that sends TCP SYN packets and reads the SYN-ACK or RST response without completing the handshake, making it faster and less likely to appear in application logs. Port scanning your own network is a normal security audit activity; scanning hosts you do not own without permission is illegal in most jurisdictions.

Ports and security

Open ports are potential attack surfaces. Every service listening on a port is code that processes untrusted input from the network. The security principle of minimising attack surface means closing (or not starting) any service whose port does not need to be open. Common high-risk open ports: 23 (Telnet — plaintext, should never be open), 3389 (RDP — frequently brute-forced; restrict to VPN or specific IPs), 22 (SSH — safe with key authentication, but should be moved off default port or rate-limited). On Linux, ss -tlnp lists all TCP ports currently listening with the associated process. On Windows, netstat -ano shows the same with process IDs.

Frequently Asked Questions

What is the difference between a port and an IP address?

An IP address identifies a device on the network. A port identifies a specific service or application on that device. The analogy: IP address is the building's street address, port is the apartment number. IP + port + protocol = a socket, uniquely identifying one network endpoint.

What are well-known ports?

Ports 0–1023, reserved by IANA for standard services. Binding below 1024 requires root on Unix. Common ones: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS. Registered ports 1024–49151 are used by applications without elevated privileges. Ephemeral ports 49152–65535 are assigned by the OS to outgoing client connections.

What is port forwarding?

A NAT rule that directs inbound connections on a specific public port to a specific LAN device and port. Without it, NAT blocks all unsolicited inbound connections. Forwarding port 443 to 192.168.1.100:443 makes that internal server reachable from the internet on your public IP address.