Ports explained (1–65535, well-known vs ephemeral)

Topic: Networking basics

Ports are 16-bit numbers that identify which service or application gets traffic on a host. Learn well-known (0–1023), registered, and ephemeral (dynamic) ranges so you can open the right port, debug 'connection refused,' and understand listen vs connect. Use this when configuring firewalls or services.

Intent: How-to

Quick answer

  • Ports 1–65535 identify the service on a host; well-known (1–1023) are conventionally used by servers (e.g. 22 SSH, 80 HTTP, 443 HTTPS); ephemeral (e.g. 32768–60999 on Linux) are used by clients for outbound connections.
  • A connection is identified by (local IP, local port, remote IP, remote port); the server listens on a fixed port; the client uses an ephemeral port for the outgoing connection.
  • When opening a firewall, allow the port the service listens on (e.g. 22 for SSH); you do not need to open ephemeral ports for outbound client traffic if policy allows established/related.

Steps

  1. Know the port ranges

    Well-known: 0–1023 (often require root to bind on Linux). Registered: 1024–49151 (assigned by IANA for clarity). Dynamic/ephemeral: 49152–65535 (and often 32768–60999 on Linux) for client sockets.

  2. Relate listen and connect

    Server binds to a port (e.g. 22) and listens; client picks an ephemeral source port and connects to server:22; the tuple (client IP, client port, server IP, 22) identifies the connection.

  3. Apply to firewall rules

    Allow inbound to the port the service listens on (e.g. 22, 80, 443); for outbound, allow established/related so replies to ephemeral connections are permitted; do not open all ephemeral ports from the internet.

  4. Debug with port tools

    Use ss -tlnp or netstat to see listening ports; use ss -tnp to see active connections and their local and remote ports; 'connection refused' usually means nothing is listening on that port.

Summary

Ports are 16-bit numbers (1–65535) that identify the service or application on a host. Well-known ports are used by servers; clients use ephemeral ports. Use this when configuring services, firewalls, or debugging “connection refused” and listen vs connect.

Prerequisites

  • None; this is a foundation concept.

Steps

Step 1: Know the port ranges

  • 0–1023: Well-known; e.g. 22 (SSH), 80 (HTTP), 443 (HTTPS). On Linux, binding to these typically requires root.
  • 1024–49151: Registered; used by some services by convention.
  • 49152–65535 (and on many Linux systems 32768–60999): Ephemeral; used by the OS for outbound client connections.

Step 2: Relate listen and connect

The server calls listen on a fixed port (e.g. 22). The client uses an ephemeral local port and connects to the server’s IP and port 22. The connection is uniquely identified by the four-tuple: client IP, client port, server IP, server port.

Step 3: Apply to firewall rules

Allow inbound traffic only to the ports your services listen on. For outbound, allowing “established” and “related” permits return traffic for connections initiated by the host without opening the whole ephemeral range to the internet.

Step 4: Debug with port tools

  • ss -tlnp (or netstat -tlnp): list listening TCP ports and the process.
  • ss -tnp: list active TCP connections with local and remote addresses and ports.
  • “Connection refused” means the destination port has no listener.

Verification

  • You can name the well-known ports for SSH, HTTP, and HTTPS; explain the difference between a listening port and an ephemeral client port; and use ss to list listeners and connections.

Troubleshooting

Nothing listening on expected port — Service not started or bound to another port or interface; start the service or fix its config; check with ss -tlnp.

Port in use — Another process is bound to that port; identify it with ss -tlnp and stop the other process or change the service port.

Next steps

Continue to