What a port actually is
A port is a 16-bit number — anything from 0 to 65535 — that identifies a specific service or connection endpoint at an IP address. When a packet arrives at your computer, the IP address in the header got it to the right machine, but the machine is usually running dozens of network programs at once: a browser, an email client, a couple of background sync tools, maybe a local development server. The port number is the label that tells the operating system which of those programs the packet is meant for.
The classic analogy is an apartment building. The street address (the IP) gets the mail to the building; the apartment number (the port) gets it to the right resident. Without the apartment number, the letter arrives at the building with no way to know who it is for. Ports do exactly that job for network traffic.
Because a port is 16 bits wide, there are exactly 65,536 of them (2 to the power of 16). That number shows up constantly in networking, and it is the reason no port can be higher than 65535.
The three port ranges
The Internet Assigned Numbers Authority (IANA) divides the port space into three ranges, each used for a different purpose:
- Well-known ports: 0–1023. Reserved for core, universally recognized services. HTTP lives on
80, HTTPS on443, SSH on22. On most operating systems a program needs administrator or root privileges to listen on a port in this range, which is a small security guard against a random user process pretending to be the system web server. - Registered ports: 1024–49151. Assigned by IANA to specific applications and vendors on request, but not as tightly guarded. This is where databases and application servers live — MySQL on
3306, PostgreSQL on5432, Remote Desktop on3389. Any ordinary program can usually bind to these without special privileges. - Dynamic / ephemeral ports: 49152–65535. Never permanently assigned to anything. The operating system hands these out temporarily for the client side of an outbound connection, then releases them when the connection closes. You almost never choose one of these yourself; the OS picks them for you.
How an IP, a port, and a protocol identify a connection
An IP address plus a port number together form a socket, usually written as address:port — for example 93.184.216.34:443 means “port 443 at that IP.” But a socket on its own is only half the picture. A single running connection is uniquely identified by five things together, often called the 5-tuple:
- Source IP address (yours)
- Source port (an ephemeral port your OS picked)
- Destination IP address (the server's)
- Destination port (the well-known port of the service, e.g. 443)
- Transport protocol (TCP or UDP)
This is why you can have ten browser tabs open to the same website at once without them getting tangled: each tab's connection uses a different source port, so the 5-tuples are all distinct. It is also why TCP and UDP are counted separately — TCP and UDP each have their own full set of 65,536 ports, and TCP port 53 is a genuinely different endpoint from UDP port 53 even though DNS uses both.
Reference table: the ports you actually run into
These are the assignments worth memorizing. Every number below is a standard IANA assignment, not a convention someone made up:
| Port | Protocol | Service |
|---|---|---|
| 20 / 21 | TCP | FTP — 21 is control, 20 is the data channel |
| 22 | TCP | SSH — secure remote shell (also SCP and SFTP) |
| 23 | TCP | Telnet — legacy unencrypted remote shell, avoid |
| 25 | TCP | SMTP — mail transfer between servers |
| 53 | TCP + UDP | DNS — UDP for normal lookups, TCP for large responses and zone transfers |
| 67 / 68 | UDP | DHCP — 67 is the server, 68 is the client |
| 80 | TCP | HTTP — unencrypted web traffic |
| 110 | TCP | POP3 — download email from a mailbox |
| 143 | TCP | IMAP — read email kept on the server |
| 443 | TCP | HTTPS — web traffic secured with TLS |
| 465 / 587 | TCP | SMTP submission — sending mail from a client (587 with STARTTLS, 465 implicit TLS) |
| 993 | TCP | IMAPS — IMAP over TLS |
| 995 | TCP | POP3S — POP3 over TLS |
| 3306 | TCP | MySQL / MariaDB database |
| 3389 | TCP | RDP — Windows Remote Desktop |
| 5432 | TCP | PostgreSQL database |
| 8080 | TCP | HTTP-alt — common for dev servers, proxies, and app servers |
A few of these repay a second look. Notice how the secured version of a mail protocol gets its own port: plain IMAP on 143 becomes IMAPS on 993, and plain POP3 on 110 becomes POP3S on 995. Notice too that 8080 is not a magic web port — it is simply a registered-range port that developers picked as an unprivileged stand-in for 80, so you can run a web server without root. The encryption on 443 is handled by TLS, the protocol behind HTTPS.
How ports relate to firewalls and port forwarding
A firewall is, at heart, a set of rules about which ports are allowed to accept incoming connections. When you visit a website, your computer opens an outbound connection, and your firewall lets the replies back in because it remembers the connection you started — this is called stateful filtering. You do not need to configure anything for normal browsing, email, or streaming to work.
The situation flips when you want the outside world to reach a service running inside your network — a home game server, a self-hosted app, a security camera. Now an unsolicited inbound connection has to arrive at a specific port, pass the firewall, and then be routed by your router to the right internal device. That routing step is port forwarding: you tell the router “traffic arriving on port X should go to this machine on my LAN.” If the port is not forwarded, or the firewall blocks it, the connection is silently dropped. You can check whether a given port is reachable from the public internet with the port checker.
Ephemeral (source) ports on the client side
Everything above is about the destination port — the well-known number a server listens on. But your side of the connection needs a port too, and that is where the ephemeral range comes in. When your browser connects to a web server on port 443, your operating system quietly assigns a temporary source port from the dynamic range (49152–65535 by the IANA guideline; some systems use a wider window). The full connection therefore looks like this:
- Your side:
203.0.113.7:51234(your IP, an ephemeral source port) - Server side:
93.184.216.34:443(the server IP, the well-known HTTPS port)
When the connection closes, that source port is freed for reuse. Because every outbound connection consumes one, a machine making thousands of simultaneous connections can in extreme cases exhaust its ephemeral pool — a real concern for busy load balancers and proxies, and one reason those are tuned to widen the range. For everyday use you never think about source ports at all; the OS handles them invisibly.
Frequently asked questions
What is the range of valid port numbers?
Port numbers are 16-bit values, so they run from 0 to 65535 — 65,536 possible ports. IANA splits that into well-known (0–1023), registered (1024–49151), and dynamic / ephemeral (49152–65535).
What is the difference between a TCP port and a UDP port?
TCP and UDP each have their own independent set of 65,536 ports, so TCP port 53 and UDP port 53 are different endpoints even though both belong to DNS. The number is just a label; the transport protocol decides how the data moves. See TCP vs UDP for the full comparison.
Do I need to open a port in my firewall to browse the web?
No. Connections you start outbound are allowed back in automatically because your firewall tracks them. You only need to open or forward a port when you want something outside your network to reach a service running inside it — that is what port forwarding handles.
Related reading
- TCP vs UDP — why the same port number means two different endpoints depending on the protocol.
- Port checker — test whether a specific port is open and reachable from the public internet.
- Port forwarding explained — how to make an inside service reachable from outside.
- TLS and HTTPS — what actually secures the traffic on port 443.
- How DNS works — the service behind port 53, on both TCP and UDP.
- Networking glossary — plain-English definitions for the rest of the jargon.
