Adjacent Node
Networking, explained. No BS.

Common Ports

Printer friendly

What It Is

Ports identify application services above IP. TCP and UDP port numbers are not security labels, but they are still useful for firewall policy, packet captures, NAT, service discovery, troubleshooting, and exposure reviews. Modern port work is less about memorizing every number and more about knowing what should never be exposed, what needs bidirectional flows, and what encryption or tunneling hides.

Core Operator Ports

Port Transport Service Notes
20, 21 TCP FTP data/control Legacy, difficult through NAT and firewalls
22 TCP SSH, SCP, SFTP Admin access, restrict tightly
23 TCP Telnet Legacy cleartext, do not expose
25 TCP SMTP server-to-server Mail transfer, heavily filtered
53 TCP/UDP DNS UDP common, TCP for large replies and zone transfers
67, 68 UDP DHCPv4 Client/server broadcast and relay behavior
80 TCP HTTP Often redirects to HTTPS
123 UDP NTP Time sync, abuse risk if exposed incorrectly
179 TCP BGP Router peering, never broad exposure
443 TCP HTTPS Web, APIs, many tunneled services
500 UDP IKE IPsec negotiation
514 UDP/TCP Syslog UDP common, TCP/TLS preferred where supported
546, 547 UDP DHCPv6 IPv6 address/options exchange
587 TCP SMTP submission Authenticated client mail submission
853 TCP DNS over TLS Encrypted DNS
989, 990 TCP FTPS FTP over TLS, still operationally awkward
993 TCP IMAPS Mail client access
995 TCP POP3S Legacy mail client access
1194 UDP/TCP OpenVPN Common VPN service
1812, 1813 UDP RADIUS auth/accounting NAC, VPN, wireless auth
4500 UDP IPsec NAT-T IPsec through NAT
5060, 5061 TCP/UDP SIP, SIP-TLS Voice signaling
5004, 5005 UDP RTP/RTCP Media streams, often negotiated dynamically

Modern note: HTTPS on 443 no longer means "web page." It may be an API, tunnel, remote access tool, malware C2, QUIC fallback, or SaaS control plane.

Infrastructure And Management

Port Transport Service Exposure Guidance
49 TCP/UDP TACACS+ Restrict to network devices and AAA servers
69 UDP TFTP Lab or device bootstrapping only, avoid exposure
161, 162 UDP SNMP polling/traps Restrict, prefer SNMPv3
389 TCP/UDP LDAP Prefer LDAPS or protected network path
445 TCP SMB Never expose to Internet
636 TCP LDAPS Directory access over TLS
873 TCP rsync Restrict and authenticate
902 TCP VMware services Management plane, restrict
2049 TCP/UDP NFS Storage plane, restrict
3260 TCP iSCSI Storage plane, isolate
3389 TCP/UDP RDP Do not expose directly
5900 TCP VNC Do not expose directly
5985, 5986 TCP WinRM HTTP/HTTPS Windows management, restrict
8006 TCP Proxmox VE web UI Management plane, restrict
8080, 8443 TCP Alternate HTTP/HTTPS Common app/admin ports
9100 TCP JetDirect printing Restrict to print infrastructure

Watch out: Management ports belong on management networks, VPN/ZTNA, or bastion paths. A firewall allow rule is not an access strategy.

Database And Application Ports

Port Transport Service Notes
1433, 1434 TCP/UDP Microsoft SQL Server Restrict to app tiers
1521 TCP Oracle listener Restrict to app tiers
3306 TCP MySQL/MariaDB Do not expose broadly
5432 TCP PostgreSQL Do not expose broadly
5672 TCP AMQP RabbitMQ and messaging
6379 TCP Redis Do not expose unauthenticated
8086 TCP InfluxDB Monitoring data, restrict
9200 TCP Elasticsearch HTTP Restrict and authenticate
9300 TCP Elasticsearch transport Cluster-only
11211 TCP/UDP Memcached Never expose to Internet
27017 TCP MongoDB Restrict and authenticate

Watch out: Many databases now support TLS and authentication, but they still should not be treated like public-facing services.

Network And Routing Protocols

Port / Protocol Transport Service Notes
IP protocol 1 ICMP IPv4 control and diagnostics Not TCP or UDP
IP protocol 2 IGMP IPv4 multicast group management Local multicast behavior
IP protocol 47 GRE Tunneling Often paired with other control protocols
IP protocol 50 ESP IPsec encrypted payload Not TCP or UDP
IP protocol 51 AH IPsec authentication header Less common
IP protocol 89 OSPF Link-state routing Control plane only
179 TCP BGP Peer-to-peer routing
3784, 3785 UDP BFD Fast failure detection
4789 UDP VXLAN Data center overlays
646 TCP/UDP LDP MPLS label distribution
1985 UDP HSRP First-hop redundancy
3222 UDP GLBP Cisco first-hop redundancy

Modern note: Not every firewall rule is TCP or UDP. GRE, ESP, AH, ICMP, OSPF, and other IP protocols need protocol-level handling.

Web, DNS, And Modern Client Traffic

Port Transport Service Notes
443 TCP HTTPS Dominant web and API transport
443 UDP QUIC / HTTP/3 Can bypass TCP-only controls
853 TCP DNS over TLS Encrypted DNS
784 UDP DNS over QUIC Encrypted DNS
8853 UDP DNS over QUIC alternative Seen in some implementations
123 UDP NTP Keep time reliable and controlled
3478 UDP/TCP STUN/TURN Real-time apps, WebRTC
5349 TCP/TLS TURN over TLS Real-time apps through restricted networks

Watch out: Blocking UDP/443 may break HTTP/3 but most clients fall back to TCP/443. That can be a troubleshooting clue.

"Do Not Expose" Short List

Service Ports Why
Telnet TCP/23 Cleartext admin
SMB TCP/445 High-risk file sharing and lateral movement
RDP TCP/UDP 3389 Frequent brute force and exploit target
VNC TCP/5900 Remote desktop exposure
SNMP v1/v2c UDP/161 Weak community-based access
Databases 1433, 3306, 5432, 6379, 9200, 27017 Data plane exposure
Storage 2049, 3260, 11211 Sensitive and abuse-prone
Admin web UIs 8006, 8080, 8443, 10000 Often powerful and weakly segmented

Cisco IOS/IOS-XE Examples

Simple infrastructure ACL pattern:

ip access-list extended INFRA-IN
 remark Allow SSH from management subnet only
 permit tcp 10.10.10.0 0.0.0.255 any eq 22
 remark Allow SNMP polling from monitoring servers only
 permit udp host 10.10.20.50 any eq 161
 remark Allow DNS to approved resolvers
 permit udp any host 10.10.30.53 eq 53
 permit tcp any host 10.10.30.53 eq 53
 deny ip any any log

Control-plane reminder:

show control-plane host open-ports
show access-lists INFRA-IN

Notes:

  • Match source and destination deliberately. A port-only allow rule is usually too broad.
  • Add remarks so the rule explains ownership and intent.
  • Place management service ACLs close to the device or management boundary.
  • Use platform control-plane protection where available. Interface ACLs alone may not cover every punt path.

Troubleshooting

Symptom Check Likely Cause
TCP app fails immediately SYN/SYN-ACK/RST, firewall logs Closed port or reject
TCP app hangs SYN retries, drops Silent firewall drop or routing issue
UDP app intermittent Bidirectional flows, timeout, NAT Stateful timeout or return path
DNS works for small replies only TCP/53, EDNS, fragmentation TCP DNS blocked
VPN connects but passes no traffic ESP, UDP/4500, routes, NAT IPsec data path blocked
Voice registers but has no audio RTP range, NAT, SIP ALG Media path blocked
Web works in browser but not tool Proxy, TLS inspection, SNI, HTTP/3 Different transport or trust path

Commands

ss -tulpen
nc -vz example.com 443
dig example.com A
dig +tcp example.com A
curl -v https://example.com/
tcpdump -nn host 198.51.100.10 and port 443
show control-plane host open-ports
show ip sockets
show access-lists
show platform software fed active punt cause summary

Expected clues:

  • The service is actually listening on the expected interface.
  • Firewall logs show allow, deny, or timeout behavior.
  • TCP handshakes complete before TLS or app troubleshooting starts.
  • UDP return traffic is allowed back through stateful devices.
  • DNS can use TCP when responses require it.
  • Control-plane ports on routers and switches are not exposed to untrusted networks.

Watch Out

  • Do not trust a port number alone to identify an application.
  • Do not expose management services directly to the Internet.
  • Do not forget UDP when troubleshooting voice, VPN, DNS, QUIC, gaming, or telemetry.
  • Do not block all ICMP and then expect PMTUD and diagnostics to work cleanly.
  • Do not assume "closed" and "filtered" mean the same thing.
  • Do not publish firewall rules without owner, purpose, source, destination, port, and expiration context.

References