Port Range Validator
Valid port
✓ Yes
Type
High (ephemeral)
How it works
Network port numbers are 16-bit unsigned integers (0–65535) identifying specific services on a network endpoint. Validating port ranges is necessary for firewall rule authoring, service configuration, load balancer setup, and security policy review — an invalid or overlapping port specification can leave services exposed or unreachable.
**Port range categories** Well-known ports (0–1023): assigned by IANA, require root/administrator privileges to bind on Unix systems. HTTP=80, HTTPS=443, SSH=22, DNS=53, SMTP=25, FTP=20/21, Telnet=23, SNMP=161. Registered ports (1024–49151): assigned by IANA for specific services. PostgreSQL=5432, MySQL=3306, MongoDB=27017, Redis=6379, Elasticsearch=9200. Dynamic/ephemeral ports (49152–65535): used by the OS for outbound connections; the source port of a TCP/UDP session.
**Validation checks** Port number range: 0–65535 (16-bit unsigned). Port 0 is reserved (not available for binding, but used in some protocols for dynamic assignment). Individual ports: integer. Port ranges: startPort–endPort where startPort ≤ endPort. Overlap detection: given a list of port ranges, flag overlapping ranges that would cause ambiguous firewall rules.
**TCP vs UDP** TCP and UDP have separate port spaces — port 53 TCP (DNS zone transfers) and port 53 UDP (DNS queries) are distinct services. Firewall rules typically specify protocol (TCP/UDP/both). SCTP is a third transport protocol with its own port space (same numbers but different protocol context).
Frequently Asked Questions
- Public-facing web servers: port 80 (HTTP), 443 (HTTPS). Mail servers: 25 (SMTP relay, server-to-server), 587 (SMTP submission, client-to-server with auth), 993 (IMAPS), 465 (SMTPS). Never expose: 22 (SSH) to the public internet — use a VPN or IP allowlist. 3306/5432/27017 (databases) must never be internet-accessible. 6379 (Redis) has caused numerous breaches when accidentally exposed. Principle of least privilege: open only the specific ports required, from only the specific source IPs that need them.
- When your machine initiates a TCP connection (as a client), the OS assigns a random source port in the ephemeral range (49152–65535 on modern Linux/Windows; 1024–65535 on some older systems). The server responds to this ephemeral port. For stateful firewalls (tracking established connections), return traffic for outbound connections is automatically permitted — you don't need explicit inbound rules for ephemeral ports. For stateless firewalls (traditional ACLs), you must explicitly allow inbound traffic to the full ephemeral range, or track connections at the application layer.
- On Unix systems, binding to privileged ports (< 1024) requires root privileges (CAP_NET_BIND_SERVICE capability). This is a security measure: only trusted system services should listen on well-known ports like 80, 443, or 22. In practice, production servers often run as non-root: nginx starts as root (to bind port 80/443) then drops privileges to the www-data user for request handling. Alternatively, use setcap cap_net_bind_service=+ep /usr/bin/service to grant binding privileges without full root. Docker containers bypass this restriction when host networking is used.
- Linux: ss -tlnp | grep :80 (shows TCP listening sockets with process IDs). Or: lsof -i :80. Or: netstat -tlnp (deprecated but still common). macOS: lsof -i :80 or netstat -anvp tcp | grep LISTEN. Windows: netstat -ano | findstr :80 (shows PIDs) then tasklist | findstr [PID]. PowerShell: Get-NetTCPConnection -LocalPort 80 | Select OwningProcess. Docker: docker ps lists containers; inspect the PORTS column. Cloud: security group rules show allowed ports but not which process — use SSH/SSM to run lsof on the instance.