Common Port Numbers Reference Guide
Complete reference for well-known TCP and UDP port numbers. Search protocols, find port assignments, and understand which ports to open or block in your firewall.
Port numbers are how your operating system routes incoming network traffic to the right application. When a web server and an SSH daemon both listen for connections, the port number tells the OS which process gets each incoming packet. Knowing your ports is basic fluency for anyone configuring firewalls, debugging connectivity, or reading server logs.
Port Number Ranges
The 65,535 available ports are divided into three ranges:
| Range | Name | Description |
|---|---|---|
| 0–1023 | Well-known ports | Assigned by IANA; standard services |
| 1024–49151 | Registered ports | Registered applications; less standardized |
| 49152–65535 | Dynamic/ephemeral | Temporary outbound connections |
Essential Well-Known Ports
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 20, 21 | TCP | FTP | 21 = control, 20 = data (active mode) |
| 22 | TCP | SSH | Secure shell, SFTP, SCP |
| 23 | TCP | Telnet | Unencrypted — never use on public networks |
| 25 | TCP | SMTP | Email sending (MTA to MTA) |
| 53 | TCP/UDP | DNS | UDP for queries, TCP for zone transfers |
| 67, 68 | UDP | DHCP | 67 = server, 68 = client |
| 80 | TCP | HTTP | Unencrypted web traffic |
| 110 | TCP | POP3 | Email retrieval (legacy) |
| 123 | UDP | NTP | Network time synchronization |
| 143 | TCP | IMAP | Email retrieval (modern) |
| 161, 162 | UDP | SNMP | Network device monitoring |
| 443 | TCP | HTTPS | Encrypted web traffic (TLS) |
| 445 | TCP | SMB | Windows file sharing |
| 465, 587 | TCP | SMTPS / Submission | Encrypted email sending |
| 993 | TCP | IMAPS | IMAP over TLS |
| 995 | TCP | POP3S | POP3 over TLS |
| 3389 | TCP | RDP | Windows Remote Desktop |
Common Application and Service Ports
| Port | Service | Notes |
|---|---|---|
| 1433 | MSSQL | Microsoft SQL Server |
| 1521 | Oracle DB | Oracle database listener |
| 3306 | MySQL / MariaDB | Default MySQL port |
| 5432 | PostgreSQL | Default Postgres port |
| 5672 | AMQP | RabbitMQ messaging |
| 6379 | Redis | In-memory data store |
| 8080 | HTTP alt | Development servers, proxies |
| 8443 | HTTPS alt | Development HTTPS |
| 9200 | Elasticsearch | REST API |
| 27017 | MongoDB | Default MongoDB port |
Using the CalcHub Port Reference
The CalcHub Port Number Reference is searchable — enter a port number to see the protocol, or search a protocol name to find its port. It also shows whether to use TCP, UDP, or both, and flags ports that are commonly targeted by attackers.
The firewall mode lets you build a rule set: specify your server type (web server, mail server, database) and it generates a recommended allow-list of ports, blocking everything else by default.
Firewall Basics: Default Deny
The safest firewall posture is default deny: block all inbound traffic, then explicitly allow only what you need. For a web server:
- Allow 80/TCP from anywhere (redirect to HTTPS)
- Allow 443/TCP from anywhere
- Allow 22/TCP from your IP only (or use a VPN)
- Block everything else
Tips
- Change SSH port? Only security theater. Moving SSH to a non-standard port (like 2222) reduces noise in your logs from automated scanners but provides no real security. SSH keys and fail2ban are the actual defenses.
- Port 0 is reserved. It's technically valid in some implementations for OS-assigned port selection, but not a real service port.
- UDP is connectionless. Services like DNS and NTP use UDP for speed. There's no handshake, so firewall rules for UDP are stateless — you need to explicitly allow responses back in or use a stateful firewall.
How do I check which ports are open on my server?
ss -tulnp on Linux shows all listening sockets with the process name. netstat -ano on Windows does the same. From outside your server, use nmap -sT -p 1-1024 to scan well-known ports (only on systems you own or have permission to test).
Why is port 8080 commonly used for development?
Ports below 1024 (including 80 and 443) require root/administrator privileges to bind on most systems. Port 8080 is the convention for running HTTP development servers without elevated privileges. It has no official IANA assignment but is universally understood.
What should I do if I see unexpected ports listening on my server?
Check the process with ss -tulnp | grep or lsof -i :. If you don't recognize the service, it could be legitimate (a package installed a background service) or a sign of compromise. Investigate before blocking it.
Related Calculators
- Subnet Calculator — IP-level network planning
- Network Uptime Calculator — SLA planning for services on these ports
- Bandwidth Calculator — capacity planning for services you're running