What is a port? Networking ports explained simply
An IP address gets traffic to your computer. A port number tells the OS which app should handle it. Here's what ports are, the well-known port numbers, and why ports 80 and 443 are so famous.
You've seen URLs like https://example.com:8080. You've heard tech people say "port 80" or "port 22" or "ports are open." If you've ever wondered what that number actually does, this is the explainer.
The two-line summary
An IP address identifies a computer on the network. A port number identifies which program on that computer should handle the traffic. Together they form an "endpoint" — 203.0.113.5:443 means "the HTTPS server on this machine."
Without ports, your computer wouldn't know whether incoming traffic was meant for your browser, your email client, or your game.
How ports work
Every networked computer can run dozens of programs at once that need network access — browser, email, instant messenger, system updater, time-sync daemon. They share one network adapter and one IP. So how does an incoming packet get to the right program?
Answer: port numbers.
When a program wants to receive network traffic, it asks the operating system: "give me port 443" (or whatever number it wants). The OS reserves that port — only one program at a time can hold a given port on a given IP.
Incoming packets carry both an IP and a port. The OS sees the destination IP is "us," looks at the port, and routes the packet to the program holding that port. The program reads it, does its thing, and replies — outbound packets get a port number too, so the other end can reply correctly.
Ports are 16-bit numbers, so the range is 0 to 65535.
Three port categories
The ranges aren't equal. The Internet Assigned Numbers Authority (IANA) divides them up.
Well-known ports: 0–1023
Reserved for standard services. Listed in the IANA registry. On most operating systems, opening these requires administrator privileges — to prevent random apps from impersonating system services.
| Port | Service | Usage |
|---|---|---|
| 22 | SSH | Remote shell |
| 25 | SMTP | Mail server-to-server |
| 53 | DNS | Domain Name resolution |
| 80 | HTTP | Plain web traffic |
| 110 | POP3 | Email retrieval (legacy) |
| 143 | IMAP | Email retrieval (modern) |
| 443 | HTTPS | Encrypted web traffic |
| 465 | SMTPS | Encrypted SMTP submission (legacy) |
| 587 | SMTP submission | Modern SMTP submission with STARTTLS |
| 993 | IMAPS | Encrypted IMAP |
These are the ones you'll see referenced most often. Anything in the 0–1023 range is usually a system service.
Registered ports: 1024–49151
Less strict but still cataloged. Many popular services live here:
| Port | Service |
|---|---|
| 1194 | OpenVPN (default) |
| 3306 | MySQL |
| 3389 | RDP (Remote Desktop) |
| 5432 | PostgreSQL |
| 5060 | SIP |
| 5900 | VNC |
| 6379 | Redis |
| 8080 | Often "alternative HTTP" or proxies |
| 8443 | Often "alternative HTTPS" |
| 27017 | MongoDB |
You don't need privileges to bind here, so they're popular for development and self-hosted services.
Dynamic / private / ephemeral ports: 49152–65535
Used for outgoing connections. When your browser connects to a website, it picks a random port from this range to be its "source port" so reply traffic can come back to it. Ephemeral ports are reused constantly; the OS recycles them after each connection closes.
You'll never deliberately open a service on these — they're for short-lived client connections.
How a typical web request uses ports
Picture the moment your browser loads https://example.com:
- Browser asks DNS: "what's the IP for example.com?" (DNS goes out on port 53.)
- Browser opens a TCP connection from a random ephemeral port (say, 51234) on your machine to port 443 on the example.com server.
- The server's HTTPS daemon, listening on port 443, accepts the connection.
- They exchange data.
- Reply packets from the server have source port 443 and destination port 51234 — the OS knows that means "your browser."
- When the connection closes, your machine's port 51234 is released and reused for the next request.
Multiply by hundreds of simultaneous connections and you can see why we need so many ports.
TCP ports and UDP ports are separate
Both TCP and UDP have their own 0–65535 port spaces. You can have a TCP server on port 53 (DNS over TCP) and a UDP server on port 53 (DNS over UDP) at the same time on the same machine. They don't conflict — they're different transports.
The IANA registry usually lists both protocols when assigning a service to a port. DNS uses both TCP/53 and UDP/53.
What "open ports" mean
When network people talk about "open ports," they mean: someone has a service listening on that port, and nothing in the network path is blocking inbound connections to it.
Three states a port can be in, from the outside:
- Open — a service is listening and replied to your probe.
- Closed — no service listening, but the OS responded with "nothing here."
- Filtered — your probe got nothing back. A firewall is dropping traffic silently.
Tools like nmap (and our upcoming Port Checker) probe ports on a remote host to see which are open. Useful for diagnostics; also the first step in attacks, which is why aggressive port scanning is sometimes treated as hostile.
Why your home router blocks inbound ports
Modern home routers run NAT (Network Address Translation) and a firewall. By default, they:
- Allow outbound connections on any port (your browser can reach anywhere).
- Drop unsolicited inbound connections on every port.
This is why your home network is, by default, reasonably safe — even if you have an outdated machine on your LAN, it's not exposed to the internet.
To accept inbound (e.g., to host a server), you'd need to port-forward in the router config. Forward port 443 from the public IP to a specific machine inside, and that machine becomes reachable. Or, if you're behind CGNAT, you'd use Cloudflare Tunnel instead.
Port forwarding versus opening firewall ports
Two distinct things, easily confused:
- Port forwarding changes routing — "send port 443 traffic on the public IP to internal IP
192.168.1.50." - Firewall rules change filtering — "allow incoming TCP traffic on port 443."
You usually need both for hosting: forward the port and allow the traffic. Most consumer routers handle both at once when you add a port-forward rule.
Quick FAQ
Why is HTTPS port 443? Historical assignment. Originally, port 80 was HTTP, 443 was HTTPS. They've stuck.
Can I run my web server on a different port?
Yes — https://example.com:8443 works fine if the server is configured for it. Browsers append :port if it's non-standard. Most production sites stick with 80/443 because non-standard ports get blocked by some networks.
What happens if two programs want the same port? The first one to bind wins. The second gets an error ("address already in use"). You'll see this when starting a dev server while another instance is still running.
How many ports does my computer have? 65,536 per IP per protocol. So 65,536 × 2 (TCP + UDP) = 131,072 distinct endpoints possible per IP. In practice, only a few hundred are ever in use at once on a typical machine.
Are some ports more secure than others? The port number itself isn't secure or insecure. The service on the port might be. Port 23 (Telnet) is famously insecure because Telnet sends passwords in plaintext. Port 22 (SSH) is fine because SSH encrypts everything.
TL;DR
- Ports are 16-bit numbers (0–65535) that identify which program on a machine should handle network traffic.
- IP + port = a complete endpoint.
- Well-known ports (0–1023) are reserved for standard services. Registered ports (1024–49151) are popular service ports. Ephemeral ports (49152+) are short-lived client connections.
- TCP and UDP have separate port spaces.
- Home routers block inbound on every port by default — port forwarding (or Cloudflare Tunnel) is how you change that.
If you ever see :8080 at the end of a URL, now you know exactly what it's doing.