It’s the one thing when I’m configuring things that makes me wince because I know it will give me the business, and I know it shouldn’t, but it does, every time. I have no real idea what I’m doing, what it is, how it works, so of course I’m blindly following instructions like a monkey at a typewriter.
Please guide me into enlightenment.
I mean, you’re not wrong. Just a bit of an asshole.
A port is a convenience wrapper for the application space. That’s really it. The networking stack delivers messages to the host, and then the kernel uses ports to distribute messages from there. Otherwise every application would need to parse out every network (or local) payload to determine if it is relevant or not. This obviously ends up with a lot of duplicate processing, thus port routing instead.
Maybe think of it like one of those big walls of post office mailboxes…behind the wall is your computer and an app might be waiting for a message at box 22 or box 45678. You could close all the boxes and nothing could get in, or you could open one or all of them and allow people to deliver messages to them.
If you connect your computer directly to the internet, anyone who knows your IP address could say 'deliver message X to port 22 at ip address <your ip address> and the program watching that box would get the message.
If you put a router in the mix, and multiple computers, the router has the same block of boxes, but if someone sends a message to one of the boxes it just sets there. If you set up ‘forwarding’, sending a message to your ip address gets the message to the router, but if you forward box 22 from your router to a specific computer on your network, then the router takes a message at box 22 on itself and ‘forwards’ it to box 22 on whatever computer you specific (using internal ip addresses).
You could map box 22 on your router to any other box on your computer…like port 22 coming into your router might get sent to port 155 on your computer…this is useful if you don’t want external people just exploring and lazily breaking into your computer using known vulnerabilities. Lots of ports are ‘common’, so an ftp hack on port 22 is easy, and might be ‘slightly’ harder if you tell your computer to actually look for ftp traffic on port 3333 or something.
The one statement “using internal IP addresses” has clarified something to where I’m actually excited to try working on a long-standing problem.
But how come I’ll get instructions from a program that I have to allow ip “bla.bl.b.blah:80” when that number isn’t my IP? Then I go on my router and do it and the program doesn’t work/port isn’t open? Those kind of problems kill me.
This is a really old message, but if you’re still having the same question i could try to answer, but that kind of message is pretty context dependant. For that specific one, it sounds like your program is trying to access something outside your network, like they have a website they need to access to check for updates or something.
A port is basically what it sounds like, a hole in your network to allow traffic to get to your pc
When you forward a port you send all traffic trying to get into that port to the computer you configure it to forward to. I believe forwarding and opening are synonymous, I’m sure someone will correct me if I’m wrong
There are two protocols for transmitting data you can open/close individually, TCP and UDP. Depends on the application, some want one, some want the other, some can use either or some want both
Opening ports allows anyone with your IP address to get at your computer, which means they have a chance to exploit any vulnerabilities there might be in your os, networking stack, software etc, so generally it’s a good idea not to leave them open unless absolutely necessary
Personally I use tailscale to get around having to open ports, makes it as if they’re all on the same network
Port forwarding is related to router forwarding all the traffic it gets on specific port to your computer. Port opening is just enabling to communicate via a new port on your computer.
Both can be done irrespective of each other and sometimes they do happens simultaneously. The router could forward the traffic to a new port that you opened on your computer. But they are not synonymous with each other.
Let’s say you want to talk to your friend. You have several protocols, Phone, Mail, Email, SMS, or maybe something stranger, like smoke signals or memes. Each protocol needs a different port.
Your friend doesn’t answer phone calls or check VMs. The ‘port’ for phone calls is blocked. Nothing gets in through here.
Your friend only accepts email from certain addresses, like protonmail. This port is filtered. Only known things get in through here.
Your friend accepts any texts if they begin with the secret pass phrase. This port is open and filtered. Few unknown things get in through here.
Your friend accepts all postage. This port is open. Anything can get in through here. HTTP or HTTPS, your browser.
The VPN is sort of like an opaque tunnel you run from your house alongside public roads to some place you feel safe exiting, And then the usual steps in communicating. All of the communication has to go through the exit point back to the house.
If this kind of thing interests you, have a basic book for free. https://open.umn.edu/opentextbooks/textbooks/353
It would really help to know what concepts you are already familiar with and feel like you understand. Lacking that, I’m going to cover a lot of basic concepts. I’m assuming typical/common situations, as always it can always be different and more complicated. Wall of text incoming.
Typical basic networks are a collection of devices that are able to communicate with each other through some medium like a wired network or WiFi. Each device In a network will have an IP address (a set of four numbers between 1 and 254 divided by periods for example: 192.168.1.100). For one device to send a message to another device, it addresses the message to the device using its IP Address. This is like sending a letter in the mail - you need to mark the letter with the street address or it won’t be delivered.
Now sticking with this analogy, if I wanted to send you a letter and you lived in a hotel or apartment complex without a dedicated address just for you, I need to make sure to address the letter not just to your building but also to you specifically. This is where ports come in. If I want to join your Minecraft server, I need to be able to reach your computer specifically and I also need to make sure my Minecraft game is talking to your Minecraft server and not your web browser or something. Software listens for specific ports. So to join a Minecraft server hosted on your computer with the address 192.168.1.100 I’d need to also specify the port so that the Minecraft server software know my messages are for it specifically.
That’s the ELI5 version.
Stepping up the complexity now. In most cases, joining someone’s Minecraft server is more complicated because I’m on my home network, and my router is connected to the internet, and through the internet I connect to your router and then from the router I need to connect to your computer. The way this works is that each of our routers are on two different networks - our home network and the Internet.
Most home networks will look very similar. There are ranges of addresses that are reserved for local (non internet) network devices, such as my example IP address - 192.168.1.100. It is possible that each of our networks have a device with this IP address. Fortunately, routers act as middlemen and coordinate communication between devices inside our network and devices on the internet. Think of the router as a fancy doorman outside the hotel or apartment.
Unfortunately, it is often the case that my computer will not know the IP address of your computer within your network. You can work around this by using port forwarding. I write “Minecraft” on the letter and you instruct your doorman that any letter with “Minecraft” written on it should be delivered to your Minecraft server. In reality, you’d forward any traffic from the internet with a specific port number directly to your Minecraft server computer. The computer running the server is already “listening” for traffic on that port and will take it from there.
Now for more complicated stuff. Technically, ports are rather arbitrary. Some ports are standardized. As someone else had mentioned, port 80 is the standard for HTTP and 443 is standard for HTTPS (encrypted). However, nothing is stopping you from hosting a webserver on a server using a different port, like port 12345. Your web browser will assume port 80 and the webserver will ignore your web browser until you tell your browser to use port 12345. It is also possible for multiple service or pieces of software to have the same port which causes problems. I have a server on my home network and multiple services that display a web page (port 80 or 443). They can’t all use the same port so I have to work around this by either using different ports or assigning each a different IP address.
So what does “opening” a port mean? Well, as you might imagine there are many pieces of software and many services running on devices in your home network. As a security precaution, many routers will block or ignore any traffic on the internet that tries to talk to it in a way it is not expecting. You don’t want randos trying to connect to your computer through the internet and your router.
Unblocking or opening a port could be something like forwarding a port to a device on your network. Now your doorman will always deliver every letter with “Minecraft” written on it to your Minecraft server. If there is a security flaw in Minecraft, this could technically be something someone could exploit.
Similar to your router, Windows (the operating system) will also block/ignore traffic that it isn’t expecting as a security precaution. Opening a port might mean creating a rule in your firewall setting to let traffic from certain ports into your computer. If Windows is ignoring any letters it doesn’t recognize, my Minecraft letters still won’t reach your Minecraft server even if it is clearly addressed to it. Windows may also be blocking traffic from leaving your computer if it does not have a firewall rule telling it otherwise so its possible the server got my letter, but Windows blocked the reply so I’m left hanging.
A VPN is a Virtual Private Network. This term can mean a few different scenarios but what they all have in common is that it creates a hole into your network, bypassing the router (maybe both routers). It is sometimes called a tunnel, which is a pretty good metaphor. Basically, you are running a virtual network cable through the internet from one computer or network to another. Through this virtual network, devices will be able to see and interact with each other as if they were on the same network.
Real life example. I manage a few servers where I work. If I need to log into those servers from home I cannot do this. It would be extremely dangerous to just let anyone on the internet have access to the server’s login screen. So instead, I use a VPN. Now my home computer is virtually connected to my work’s internal network - as if I’d brought my personal laptop into work and plugged it into the network jack next to my workstation in my office. I can use the same software I’d use at work to log into my servers without having those servers directly exposed to the internet. I am limited by my home internet speeds but it is otherwise almost identical.
Similarly, we could install VPN software on our two computers and I could then join your Minecraft server directly, bypassing your router, as if we were both on your home network.
Like I said, there are quite a few ways to do this and I’ve heard many of the ways referred to as either a VPN or a tunnel. More context could get you a better answer.
Generally, opening ports is a security risk. This is especially true when opening more common ports or ports that get a lot of use. More common, standard ports will be more likely to get attacked and ports that get a lot of use will be more likely to be targets of exploits. It really depends on your scenario. Imagine that, if someone wanted, they could likely figure out what port you’ve opened and what is listening for that port on your home network. They might try to brute force a password or take advantage of the software’s security flaws.
Forwarding a randomly chosen port so a friend can join your Minecraft server? Not so risky. Opening port 22 so you can log into your home computer while you are away from home? Much riskier.
Imagine your computer is a big block of flats and your applications are all people who live in the building.
Mail sent to the building address alone isn’t going to reach the intended recipient, because the postman doesn’t know what flat to post it to. So they need additional information such as ‘Flat 2C’
That’s the basic concept of ports. It’s basically additional addressing information to allow your computer to direct internet traffic to the correct applications.
When an application is actively listening on a port, it means that they are keeping an eye out for messages addressed to them, as designated by the port number. While an application is sending or receiving messages using a given port number, that port number is considered ‘open’.
Now, all sorts of applications do all sorts of things. Some are for the public to use and some that are useful within trusted circles, but can be abused by malicious people if anyone in the world can send messages to it. Thus, we have a firewall, which acts as a gatekeeper. A firewall can ‘block’ a port, denying access to a given group of people, or ‘unblock’ it, allowing access.
VPNs are a totally different thing. They are literally middlemen for your internet traffic. Instead of directly posting a message to somewhere and receiving a direct reply back, imagine you flew out to Italy to use a post box there and receive replies from there.
To expand on port forwarding, consider your router to be the lobby to your apartment building, but you get to choose which rooms are reachable by an outside visitor.
Port forwarding would be like if all the apartments were listed 1-[x] inside the building, but 1A-1Z, 2A-2Z and so on to outsiders. Someone sends a message to <address>, apartment 2Y, and the lobby knows that actually goes to apartment 51.
I love your analogy for ports, but I’m not sure about the VPN one.
If you imagine network traffic as mail going through the postal system, then a VPN is like a private mail tunnel between two locations, that nobody else can enter or look into. Mail sent via the tunnel is private and nobody else can read it. The person at the other end of the tunnel can either open the mail themselves (ie a VPN from your laptop to your home server to access it when you’re away), or forward the mail somewhere else (ie if you’re routing Internet-bound traffic through it) and nobody will know it came from you originally.
I’m not sure that’s a completely accurate analogy either. When you’re using a VPN people can still see that you are sending traffic through your tunnel, they just can’t tell what it is that you’re sending. It’s like looking through frosted glass; there’s definitely something moving in there but you can’t tell what.
I suppose the best way to describe it is you send a locked box to a trusted friend; everyone handling it can see the box but can’t tell what’s inside. Inside the box is a letter, your friend posts it so it looks like it came from them. Your friend then gets a reply, puts it in a locked box, and send it back to you. Nobody between you and your friend can snoop on your mail but anyone between your friend and the final destination can.
locked box
As soon as I read this I read the rest of your comment in Al Gore’s voice, ca 2k SNL, lol.
Yeah, but if you’re communicating with the buttplug store, the specific contents of the box don’t really matter. You still want a trusted friend to not tell people where you get your boxes from.
Great point. Analogies are hard :)
i have nothing to add, i just like you analogy
To add to your analogy if i may, the firewall is kind of like a security guard or doorman at the building entrance. All mail has to go through him first and if something is addressed to a closed flat (port) he simply doesnt let it get delivered.
Yep! The security guard is also given a bunch of rules to follow such as “don’t let anyone outside of our neighbourhood contact door 22”, which will also determine whether messages get delivered or not
To expand on that analogy… certain services need entry into the building and then from there, they get distributed throughout the building.
Water comes in on the water line.
Electricity comes in on the electric wire.
Internet may come in on coaxial or fiber.
Gas comes in on the natural gas pipeline.Your computer has ports to deal with basic tasks. These are called “well known port numbers”.
https://www.geeksforgeeks.org/50-common-ports-you-should-know/
So while, in theory, you COULD get email in on a non-email port, that wouldn’t be expected and would be like feeding water through a natural gas line.
Just reading that URL and I’m sorry (to the author of that article), but there’s no way there are 50 ports “you should know”. 443, 80, 22, and that’s about it. Maybe whatever the SMPT port is just for interest’s sake, but that’s very rarely going to be important practical knowledge. And there are some ports outside the well-known port range that might be handy. Your VPN’s port, your DB’s port. But even then, you’re not getting anywhere near 50.
Cyber security guy here: we care about 22 for SSH, 443 and 80 for Web traffic, 3389 for RDP and 21 for FTP. Everything else we google and we all have to google 21 and 3389 because we all forget them half the time anyway.
People still use FTP? 😬
Is there a better way to get stuff onto my 3DS without removing the SD card
Now I wonder if I can send files to my 3ds from my vita via ftp
Just for shits and giggles I’ve sent pictures from my Switch to my Wii with ftp
The short answer is, when your computer sends a message over the network, the IP address specifies which computer should receive the message, and the port specifies which program should receive the message.
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=3kfO61Mensg
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
IP is like an address to a big skyscraper where a company operates. You are the delivery man and must go to 201.154.76.19 and deliver something. When you get at the reception, you tell them you have a package to deliver to Mrs HTTPS, at room (port) 443. Since Mrs HTTPS is well known and has cleared your entry before, you’re allowed to enter this room and only this room.
If you were to get at the same address and try to access other rooms you would either get refused because they are closed, or if open, someone would specifically need to be in the room so you can deliver something
Malicious actors that wanted access to the building could try to disguise their deliveries and enter the building, that’s why the default policy of most firewalls is “reject” and you specifically need to open a port and have a program listening to it if you want incoming connections.
Ports are just ways for applications to communicate data amongst themselves or other computers, networks, internet etc. They’re represented by a number, and there are well known standards for certain ports, like HTTP web traffic is most commonly over port 80, HTTPS encrypted web traffic is usually over port 443, etc. The reason for ports is it allows the ability to lock down a computer or networked device from external communication (like computers on the same network, or the internet) and only allow certain applications to have outbound or inbound traffic and data communication, thus increasing security from malware, hackers, unwanted snooping, etc.
For example, by leaving the web browsing ports open, but blocking all other ports, you can communicate over the internet, but not share all of your images from your “Pictures” or “Documents” folders on your device, thus keeping you safe.
Every computing device, phone, tablet, etc has ports that can be opened and closed, even the Operating System running on your device, or even your WiFi router. When you’re reading articles about opening or blocking ports, its usually talking about how to open ports on your WiFi router so in incoming or outgoing application connection trying to communicate from/to internet and your computer can establish a connection through your wifi routers and not be blocked. Or how to open those same ports on your Operating System, so the connection can be established from the internet, though your WiFi router, through your OS, to the application running on your computer. Ports are usually blocked by default, and you need to open them, though the standard ones (like web traffic, port 80, 443 are usually defaulted to open for convenience sake)
A VPN, is a Virtual Private Network, it allows you to create a network of computers or devices that aren’t actually on the same network, for example, we could make a VPN between your computer and mine, and they would be able to see each other, transfer files between themselves, etc, just like we were in the same home, on the same WiFi. The VPN’s are established over a port, and use a port to communicate, so you’d most likely need to open the port on your WiFi router and computer to establish the connection.
Most of remote connections for business, are done through a VPN. When you work from home, but are able to see the internal resources from your company, a lot of times its achieved with a VPN.
The word “Private” in Virtual Private Network, means that that the connection is encrypted and people can’t see the traffic going between the devices in this ‘virtual network’ traveling over the internet. People can also use this to their advantage and use a VPN in other ways, such as hiding traffic from illegal behavior, such as pirating movies and music, from their internet provider. Their computer is connected to a random server connected by the VPN, they go to the pirate bay, request to download a movie, the request comes from the other computer connected in the VPN, and is sent to their computer, with their internet provider being none-the-wiser.
Just to clarify, nothing about ports requires wifi to be involved at all. It doesn’t need to be a wifi router, a network doesn’t have to be connected via wifi.
Very true, I just kept saying WiFi router, because for most people’s home networks, even if their device is wired, if they have a wifi router set up, their WiFi router is usually their network firewall as well, so even if your gaming desktop was wired, you’d probably still need to open ports on your WiFi router to make something like a VPN work.
Just seemed like a needlessly confusing specific detail to include as it is not a necessity to have any wifi connectivity at all and might mislead OP/readers into assuming it has some relevance to ports. It should be sufficient to just say router unless the question involves SSIDs or related components specific to that connection method.
Agreed, I fixed it.
Funfact: doesn’t even require ethernet. Any link that involves an IP will do.
When you have a bunch of computers networked, each of them is assigned a unique number, so when other computers send data on the wire, they can say who it is meant for (imagine each blurb of data starting out like: “yo, I’m sending these next 500 bytes for computer 0A123FBC32, here they come”).
Now the right computer will listen, but it doesn’t know what program the data is for - is it a chunk of a file your browser is downloading? Or the email your email app wants to display? Or perhaps a join request from your buddy’s computer for the Minecraft game you’re hosting?
So in addition to the unique number of the target computer, the data also specifies a “port number”, which tells the computer which of its running programs the data is meant for (programs ask the computer’s operating system: “if any network data arrives on port XY, give it to me”). Some ports have become standards - for example, a program that serves web pages to other computers would typically ask the operating system that any data arriving on the computer that indicates port numbers 80 and 443 should be given to it, and when a web browser wants to fetch a web page, it will send a request to the computer serving the page, defaulting to port 80 o 443.
If you dig deeper, you’ll find that there are even more unique numbers involved and routers/firewalls let data through not only by port number but also by distinguishing between data that is the initial request to another computer’s port number and data that is an answer to an earlier seen request – and more.
This is a great explanation, pretty much what I would have said
This is the first time I understand ports in networking. Thank you!
Just think of your computer or server as a huge building with thousands of doors. Most are closed, but you purposely open a few to allow traffic in and/or out of. Those that are open are only open for a specific purpose and will only lead in or out of a specific place in the building.
Not OP but wondered the same thing for ages. Thanks for your concise reply. Am I right in thinking ports aren’t actually physical things but entirely logical instead ? I always assumed they were physical “pipes” because of the name but in the light of replies here it feels like I assumed wrong
They’re defined by the software that listens for incoming connections. For example, a wrb server will (by default) open a listening port on port 80, as that’s what is defined in the http standard. If said server supports https (which most of them do) it will also open a listening socket on 443.
It’s easy to reconfigure a wrbserver (or any other server) to listen on any other port instead, provided that it’s no already claimed by a different server software. The only caveats is that any clients that want to connect will have to specify the correct port. For example, if the webserver is instead running on port 1234, you’d type http://example.com:1234/ in the address field.
Ports are identified by their number which is in the range of 1 through 65535. The first 1024 ports are “official”, which can often be observed by the fact that most of the fundamental protocols that makes the internet function is in this range (http, https, ftp, ssh, dns, smtp, pop3, imap just to name a few). And on linux systems, opening a listening socket on a port below 1024 requires root privileges.
It’s worth noting that no port number is “better” than any other. Port 2 will work just as well as 22222. It’s just a way for a server to know which server software should receive the incoming packets.
A bit beyond what you’re asking, but I consider it a natural fuetherance thereof: you can talk to a wrbserver manually by using telnet. It’s easy, I just don’t remember the syntax in my head, but it’s an easy question for google.
A “port” is just a number that gets assigned to network messages to differentiate targets within the same IP address.
One program is “listening on port 1”, which means it has told the operating system “anything labeled port 1, send it to me”.
It’s sort of like saying “attention: Joe” versus “attention: Sue” on an address. Same address, same building, but that “attention” line means to put it on Joe’s desk inside the building.
Except instead of “attention: Joe”, it’s just “attention: 22”. A numerical code that represents a “mailbox” inside the computer.
To take this further, if the office mailroom is the router, opening a port is like telling them “we just hired Jeff, so accept mail with ATTN Jeff” and closing a port is like “we just fired Sam, burn all mail addressed to Sam”.
That is The Good Answer.
Another, very similar way of thinking about it is that It’s effectively like an apartment or office number. A post office typically ignores it, but if told to, they would forward a specific apartment number at a specific address to a new address and apartment number.
Think of the Internet as being able to send opened letters with a destination address and return address. Anyone that handles the letter to help deliver it can see what it says, who’s sending it, and where it’s going.
A VPN is like asking a company to help you transmit the letter with more privacy. The VPN creates a secret code between you and the VPN, so that only you two understand what is in the letter. Then, the VPN communicates with whomever while not sharing your identity so that no one knows who you are unless you specifically tell them in the letter.
Say you want to know what the symptoms you’re experiencing after a sexual encounter are, but you’re embarrassed and don’t want anyone to suspect anything in case it’s nothing. You tell your VPN you want to send a letter to the medical info center. The VPN tells you to use a code that was created automatically so that no one knows what it means besides you and their code machine, and was sent to you earlier when you signed up for their service or at a regular update. “Use code 5 we sent you last week.” You write the letter and address in code 5, then address it in normal language to the VPN, sending it via the mail system. The VPN machine translates the code to normal language but changes the return address to its own address. The medical info center receives a letter saying that the VPN wants to know the info you requested, so they respond. The VPN receives the info, translates it back to code 5, and sends the info to you.
As far as everyone in the mail system is concerned, you sent and received info from the VPN, but only you know what it was because the mail system couldn’t understand it, and the VPN handled it through an automated machine. The medical mail system and medical info center then knows what the letter said, but thinks the VPN requested that info, so they don’t know it was you. Since the VPN handles tons of mail, no one knows who is requesting what specific info through the VPN.
Note: This assumes the VPN doesn’t keep logs. Some VPNs might actually track what you send, so they could keep track of your messages. That’s why people that value privacy recommend to use VPNs that don’t keep logs.
