What Is a Port Number? Ports, Port Forwarding and Open Ports Explained
A port number is the second half of an internet address. An IP address gets data to the right device; the port number then delivers it to the right program on that device. It is what lets one computer run a website, an email server and a game server at the same time without the traffic getting tangled. This guide explains what a port is, how the well-known, registered and dynamic ranges are divided, the common ports worth memorising, the difference between TCP and UDP, what port forwarding is and how it works, whether port forwarding is safe, and how to check which ports are open on a device. We finish with reference tables and a short FAQ.
What a port number actually is
When two computers talk over a network, every packet carries two addresses for each end: an
IP address and a port number. The IP address identifies the
machine - the building. The port number identifies the specific service on it - the door, or
apartment, that the packet should be delivered to. Together they form a
socket, written as the address and port separated by a colon, such as
93.184.216.34:443. You can confirm what your own machine looks like to the
outside world with our
IP Lookup tool, which
reports the public IP that other devices use to reach you.
A port number is a 16-bit unsigned integer, which means it can be any value from 0 to 65535 - that is 65536 possible ports in total. The reason a single device can host many services at once is that each listening program claims a different port. A web server listens on port 80 or 443, a mail server on 25, a name server on 53, and so on. When a packet arrives, the operating system reads the destination port and hands the data to whichever program is listening there. Without ports, a computer could realistically run only one network service at a time.
IP address versus port: the apartment-block analogy
Think of the IP address as the street address of an apartment block and the port number as the apartment number inside it. The postal system gets a letter to the right building using the street address, then the apartment number ensures it lands in the right mailbox. Sending traffic to an IP address without a port is like mailing a letter to a block with no apartment number on the envelope.
Port number ranges: well-known, registered and dynamic
The Internet Assigned Numbers Authority (IANA), the body that coordinates these assignments,
divides the full 0-65535 range into three bands. Knowing which band a number
falls into tells you a lot about what it is likely used for.
| Range | Name | Typical use |
|---|---|---|
0 - 1023 |
Well-known (system) ports | Core internet services such as HTTP, HTTPS, SSH and DNS; usually require administrator privileges to bind. |
1024 - 49151 |
Registered ports | Assigned by IANA to specific applications and vendors, for example MySQL (3306) or Minecraft (25565). |
49152 - 65535 |
Dynamic / private / ephemeral ports | Picked temporarily by client programs for the outgoing side of a connection; not registered to anyone. |
Well-known ports (0-1023)
These are the foundations of the internet. They are reserved for the most widely used services so that any client knows exactly where to find them: a browser asks for a secure page on port 443 every time, on every server, without being told. On most operating systems a program needs administrator or root privileges to open a listening socket below 1024, which is a deliberate safety measure - it stops an unprivileged user from impersonating a core service like a mail or web server.
Registered ports (1024-49151)
Above the well-known band, software vendors register a port with IANA for their application so it does not collide with anyone else's. Databases, application servers, game servers and countless other programs live here. Registration is a convention rather than an enforced lock - nothing physically prevents a different program from using the number - but following it avoids conflicts and makes firewall rules predictable.
Dynamic / ephemeral ports (49152-65535)
When your browser connects out to a website, it listens on a well-known port at the server's end (443) but uses a temporary high-numbered port at its own end. The operating system picks one of these ephemeral ports automatically, uses it for the lifetime of that one connection, and releases it afterwards. This is why you can have dozens of browser tabs open at once: each connection gets its own ephemeral source port, so the replies never get confused.
Common port numbers you should recognise
A handful of ports come up constantly when reading firewall rules, configuring servers or troubleshooting connectivity. The table below lists the ones worth knowing, along with the transport protocol each normally uses. Note that some services - DNS is the classic example - use both TCP and UDP for different jobs.
| Port | Protocol | Service | What it does |
|---|---|---|---|
20 / 21 |
TCP | FTP | File Transfer Protocol: 21 carries commands, 20 carries the data. |
22 |
TCP | SSH | Secure Shell: encrypted remote login and secure file copy (SCP/SFTP). |
23 |
TCP | Telnet | Legacy unencrypted remote login; avoid on the open internet. |
25 |
TCP | SMTP | Simple Mail Transfer Protocol: sending and relaying email between servers. |
53 |
UDP and TCP | DNS | Domain Name System: UDP for most lookups, TCP for large responses and zone transfers. |
67 / 68 |
UDP | DHCP | Dynamic Host Configuration Protocol: hands out IP addresses on a network. |
80 |
TCP | HTTP | Standard, unencrypted web traffic. |
110 |
TCP | POP3 | Post Office Protocol: downloading email from a mailbox. |
123 |
UDP | NTP | Network Time Protocol: keeps device clocks synchronised. |
143 |
TCP | IMAP | Internet Message Access Protocol: reading email kept on the server. |
443 |
TCP | HTTPS | Encrypted web traffic (HTTP over TLS); the default for modern sites. |
3306 |
TCP | MySQL | Default port for the MySQL/MariaDB database server. |
3389 |
TCP | RDP | Remote Desktop Protocol: graphical remote control of a Windows machine. |
One service deserves a special mention: DNS on port 53. It uses UDP for the quick, small lookups that translate a domain name into an IP address, and falls back to TCP for larger responses. If you want to see this in action, our DNS Lookup tool queries a domain's records directly so you can watch the name-to-address translation that port 53 makes possible.
TCP versus UDP: two ways to use a port
Port numbers do not exist in isolation; each one belongs to a transport protocol, almost always TCP or UDP. They share the same numbering space but behave in opposite ways, and a single port number can be in use by both at once - TCP port 53 and UDP port 53 are genuinely separate channels.
TCP - reliable and ordered
The Transmission Control Protocol establishes a connection with a three-step handshake before any data flows, then guarantees that every byte arrives, in order, retransmitting anything lost along the way. That reliability costs a little speed and overhead, but it is exactly what you want for web pages, email, file transfers and remote logins, where a missing or scrambled byte would corrupt the result. HTTP (80), HTTPS (443), SSH (22), SMTP (25) and RDP (3389) all ride on TCP.
UDP - fast and connectionless
The User Datagram Protocol skips the handshake and the delivery guarantees entirely. It simply fires packets at the destination and moves on, accepting that a few may be lost. That makes it ideal where speed matters more than perfection: DNS lookups, voice and video calls, live streaming and online gaming all favour UDP, because a dropped packet is better than a delay spent waiting for a retransmission. The trade-off is that the application itself must handle any loss it cares about.
What is port forwarding and how does it work?
By default, a home router runs Network Address Translation (NAT) and a firewall that together block unsolicited inbound connections. Devices on your private network can reach out to the internet freely, but an outside computer cannot start a connection to a device behind your router, because the router does not know which internal machine the traffic is meant for. This is good for security, but it gets in the way when you want something on the internet to reach a device at home - a game server, a security camera, a media server, or a machine you remote into.
Port forwarding is the rule that creates a deliberate exception. You tell the router: "When traffic arrives on my public IP at this external port, send it to that internal device on that internal port." A typical rule has four parts:
- External (WAN) port - the port the outside world connects to on your public IP, for example
25565. - Internal IP address - the private address of the device that should receive the traffic, for example
192.168.1.50. - Internal port - the port that the service is actually listening on inside your network (often the same as the external port).
- Protocol - TCP, UDP, or both, matching what the service uses.
Once that rule is in place, an inbound packet hitting your public address on port 25565 is
rewritten by the router and delivered to 192.168.1.50:25565, letting a friend
connect to the game server you are hosting. A practical tip: give the target device a
static or reserved internal IP first, otherwise its address may change and
silently break the rule. To learn how to do that, see our guide on
what a static IP address is.
Port forwarding does not change your IP
Forwarding a port routes inbound traffic to an internal device - it does not hide, change or reveal anything new about your public IP address. People connecting in still use the same public address you can see with our IP Lookup tool. If your home connection uses a dynamic public IP that changes periodically, that address can move over time regardless of any forwarding rules.
Is port forwarding safe?
Port forwarding is reasonably safe when you do it deliberately and sparingly, but it is not risk-free, and treating it casually is where people get into trouble. Every rule you open is a door in your firewall that the entire internet can now knock on. Automated bots scan public IP ranges around the clock looking for exactly these open doors, so a forwarded port will start receiving connection attempts from strangers within minutes, whether or not you advertise it.
The danger is not the open port itself but what is listening behind it. A forwarded port that leads to an unpatched application, a service using a default or weak password, or software that was never designed to face the internet is a genuine liability. The most frequently abused example is Remote Desktop on port 3389: exposing RDP directly to the internet is a well-known cause of compromised machines and ransomware.
You can forward ports safely by following a few rules:
- Forward only what you genuinely need. Each rule is attack surface; do not open ports speculatively.
- Patch and harden the target service. Keep it fully updated and protect it with a strong, unique password and, where possible, multi-factor authentication.
- Prefer a VPN for sensitive access. Instead of forwarding RDP or SSH straight to the internet, connect into your network over a VPN and reach the service privately.
- Restrict the source where you can. Some routers let you limit a forwarding rule to a specific source IP range, which dramatically shrinks exposure.
- Close rules you no longer use. A forgotten forward to a device that was decommissioned is a classic way for an old, unpatched service to stay reachable.
- Verify from the outside. After setting up a rule, check from outside your network whether the port is actually reachable - and confirm nothing else is unexpectedly open.
Done this way - a small number of well-chosen, well-secured rules - port forwarding is a routine and acceptable practice. Done carelessly, it is one of the easiest ways to expose a vulnerable device to the world.
How to check which ports are open
Whether you have just set up a forwarding rule or you simply want to audit your exposure, the tool for the job is a port scanner. A scanner attempts to connect to a list of ports on a target address and classifies each result:
- Open - a service is actively listening and accepted the connection.
- Closed - the port is reachable but nothing is listening, so the connection was refused.
- Filtered - a firewall silently dropped the probe, so the scanner gets no reply at all.
To understand what the outside world can reach on your connection, you need to scan your public IP from outside your own network. A scanner running on the same machine sees a different picture, because it bypasses the router and firewall that an external attacker would have to get through. An online scanner solves this by probing from the internet side. Our Port Scanner tool checks the common ports on a target address from our servers and reports which are open, so you can confirm a forwarding rule worked or spot a port you did not expect to find open.
Remember that an open port is not automatically a problem - it just means a service is listening. The goal is to be able to account for every open port: each one should correspond to a service you intended to expose. An open port you cannot explain is the one worth chasing down.
A quick port-audit workflow
Find your public address with the IP Lookup tool, run the Port Scanner against it from outside your network, and cross-check any service that resolves by name with the DNS Lookup tool. Three quick checks tell you what is exposed, on which address, and behind which name.
Common questions and misconceptions
- "Closing a port speeds up my internet." No. Ports route traffic to services; they do not throttle bandwidth. Closing an unused port improves security, not speed.
- "Port forwarding exposes my whole network." A single rule only exposes the one internal device and port you specified, not everything behind the router - though a compromised exposed device can then become a foothold into the rest of the network.
- "Higher port numbers are safer." Moving a service to an unusual high port (security through obscurity) deters casual scans a little, but determined scanners check every port. It is not a substitute for patching and strong credentials.
- "The same port can only be used by one thing." On one protocol and one IP, yes - but TCP and UDP are separate, and different IP addresses on the same machine can each bind the same port number.
Related tools & reading
- Port Scanner - check which common ports are open on an address, from outside the network.
- IP Lookup - see the public IP address that the internet uses to reach you.
- DNS Lookup - query A, AAAA, MX, TXT, NS and other records for any domain.
- What Is a Static IP Address? - why a reserved internal IP keeps forwarding rules stable.
- Understanding IP Addresses - how IPv4 and IPv6 addresses are structured.
- Back to the Learning Center
Frequently asked questions
What is a port number in simple terms?
A port number is a 16-bit value from 0 to 65535 that identifies a specific service or application on a device. An IP address gets traffic to the right machine, and the port number then directs that traffic to the right program on it - for example port 443 for a secure website or port 25 for email. Because each connection combines an IP address and a port (written as 192.168.1.10:443), a single device can run many services at once without the data getting mixed up.
What are the three ranges of port numbers?
The 65536 possible ports are split into three ranges by IANA. The well-known ports run from 0 to 1023 and are reserved for core services such as HTTP (80), HTTPS (443) and SSH (22). The registered ports run from 1024 to 49151 and are assigned to specific applications and vendors. The dynamic or ephemeral ports run from 49152 to 65535 and are used temporarily by client programs for the outgoing side of a connection.
What is the difference between TCP and UDP ports?
TCP and UDP are two transport protocols that both use port numbers, but they behave differently. TCP sets up a connection and guarantees that data arrives in order and complete, which suits web pages, email and file transfers. UDP sends data without a handshake or delivery guarantee, trading reliability for speed, which suits DNS lookups, video calls and online games. Importantly, TCP port 80 and UDP port 80 are separate channels, so the same number can be in use by both protocols at once.
What is port forwarding and how does it work?
Port forwarding is a router rule that sends inbound traffic arriving on a chosen public port to a specific device and port inside your private network. Normally a home router blocks unsolicited inbound connections, so an outside computer cannot reach a device on your LAN. A port-forwarding rule creates an intentional exception: when traffic hits your public IP on, say, port 25565, the router forwards it to the internal address and port you specified, letting an outsider reach a game server, security camera or remote-desktop host you host at home.
Is port forwarding safe?
Port forwarding is reasonably safe when done deliberately and sparingly, but every rule you open is a doorway that the rest of the internet can knock on. The risks come from forwarding a port to a service that is unpatched, uses a default or weak password, or was never meant to face the internet - bots constantly scan for exactly these. To stay safe, forward only the ports you truly need, point them at fully updated services with strong credentials, prefer a VPN over forwarding sensitive ports like RDP (3389), and close any rule the moment you stop using it.
How do I check which ports are open?
You check open ports with a port scanner, which tries to connect to a list of ports on a target address and reports whether each is open, closed or filtered. To see what the outside world can reach on your own public IP, use an online scanner from outside your network rather than a tool running on the same machine. Open ports are not automatically dangerous, but each one represents a listening service you should be able to account for; an unexpected open port is worth investigating.