Can someone demystify computer Ports for me? Please? Blocking, unblocking, opening, allowing, VPNs and their effect, what ports are and what they do, step by step, when you have to interact with them?

dnick , 2 months ago

Maybe think of it like one of those big walls of post office mailboxes…behind the wall is your computer and an app might be waiting for a message at box 22 or box 45678. You could close all the boxes and nothing could get in, or you could open one or all of them and allow people to deliver messages to them.

If you connect your computer directly to the internet, anyone who knows your IP address could say 'deliver message X to port 22 at ip address <your ip address> and the program watching that box would get the message.

If you put a router in the mix, and multiple computers, the router has the same block of boxes, but if someone sends a message to one of the boxes it just sets there. If you set up ‘forwarding’, sending a message to your ip address gets the message to the router, but if you forward box 22 from your router to a specific computer on your network, then the router takes a message at box 22 on itself and ‘forwards’ it to box 22 on whatever computer you specific (using internal ip addresses).

You could map box 22 on your router to any other box on your computer…like port 22 coming into your router might get sent to port 155 on your computer…this is useful if you don’t want external people just exploring and lazily breaking into your computer using known vulnerabilities. Lots of ports are ‘common’, so an ftp hack on port 22 is easy, and might be ‘slightly’ harder if you tell your computer to actually look for ftp traffic on port 3333 or something.

Melatonin OP , 2 months ago

The one statement “using internal IP addresses” has clarified something to where I’m actually excited to try working on a long-standing problem.

But how come I’ll get instructions from a program that I have to allow ip “bla.bl.b.blah:80” when that number isn’t my IP? Then I go on my router and do it and the program doesn’t work/port isn’t open? Those kind of problems kill me.

flashgnash , 2 months ago

A port is basically what it sounds like, a hole in your network to allow traffic to get to your pc

When you forward a port you send all traffic trying to get into that port to the computer you configure it to forward to. I believe forwarding and opening are synonymous, I’m sure someone will correct me if I’m wrong

There are two protocols for transmitting data you can open/close individually, TCP and UDP. Depends on the application, some want one, some want the other, some can use either or some want both

Opening ports allows anyone with your IP address to get at your computer, which means they have a chance to exploit any vulnerabilities there might be in your os, networking stack, software etc, so generally it’s a good idea not to leave them open unless absolutely necessary

Personally I use tailscale to get around having to open ports, makes it as if they’re all on the same network

prashanthvsdvn , 2 months ago

Port forwarding is related to router forwarding all the traffic it gets on specific port to your computer. Port opening is just enabling to communicate via a new port on your computer.

Both can be done irrespective of each other and sometimes they do happens simultaneously. The router could forward the traffic to a new port that you opened on your computer. But they are not synonymous with each other.

Cysioland , 2 months ago

VPN: you give your mail to a dude who puts it in a plain suitcase and goes with it to the VPN company’s HQ. Nobody knows whose mail he’s got or where it’s headed. When that dude gets to the VPN company’s office he gives that envelope to another dude who carries it to the destination. If someone’s peeping they can only see the dude going from your place to the VPN place or from the VPN place to the destination, not from your place to the destination.

intensely_human , 2 months ago

A “port” is just a number that gets assigned to network messages to differentiate targets within the same IP address.

One program is “listening on port 1”, which means it has told the operating system “anything labeled port 1, send it to me”.

It’s sort of like saying “attention: Joe” versus “attention: Sue” on an address. Same address, same building, but that “attention” line means to put it on Joe’s desk inside the building.

Except instead of “attention: Joe”, it’s just “attention: 22”. A numerical code that represents a “mailbox” inside the computer.

bastion , 2 months ago

That is The Good Answer.

Another, very similar way of thinking about it is that It’s effectively like an apartment or office number. A post office typically ignores it, but if told to, they would forward a specific apartment number at a specific address to a new address and apartment number.

KeepFlying , 2 months ago

To take this further, if the office mailroom is the router, opening a port is like telling them “we just hired Jeff, so accept mail with ATTN Jeff” and closing a port is like “we just fired Sam, burn all mail addressed to Sam”.

Socsa , 2 months ago

A port is a convenience wrapper for the application space. That’s really it. The networking stack delivers messages to the host, and then the kernel uses ports to distribute messages from there. Otherwise every application would need to parse out every network (or local) payload to determine if it is relevant or not. This obviously ends up with a lot of duplicate processing, thus port routing instead.

Kindness , 2 months ago

Let’s say you want to talk to your friend. You have several protocols, Phone, Mail, Email, SMS, or maybe something stranger, like smoke signals or memes. Each protocol needs a different port.

Your friend doesn’t answer phone calls or check VMs. The ‘port’ for phone calls is blocked. Nothing gets in through here.

Your friend only accepts email from certain addresses, like protonmail. This port is filtered. Only known things get in through here.

Your friend accepts any texts if they begin with the secret pass phrase. This port is open and filtered. Few unknown things get in through here.

Your friend accepts all postage. This port is open. Anything can get in through here. HTTP or HTTPS, your browser.

The VPN is sort of like an opaque tunnel you run from your house alongside public roads to some place you feel safe exiting, And then the usual steps in communicating. All of the communication has to go through the exit point back to the house.

If this kind of thing interests you, have a basic book for free. open.umn.edu/opentextbooks/textbooks/353

teawrecks , 2 months ago

If IP addresses are for finding the specific computer on a network you’re wanting to talk to, Ports are for finding the specific application you want to talk to on that computer. So kinda like a phone extension. When an application “opens” a port, they’re just telling the OS “hey, if any packets come in on this port, send the data my way, I’ll know what to do with it”.

A firewall is a special program the OS uses to control access to its ports. It says what programs are allowed to access what ports, effectively controlling the ability for all apps to access the network.

The only other thing to know is that the first 1024 port values are usually heavily controlled by the OS because there are specific protocols that are traditionally used on those specific ports, so you usually don’t want just any application claiming one of those ports willy-nilly.

Oh, and you may have had to deal with “port forwarding” on your router. This is because, if some computer outside your network sends a packet to your router targeting a specific port number, the router doesn’t know which computer it should go to. So by default, it just ignores it (which is usually the safest thing to do). Port forwarding tells your router, “if any packets come in on this port, send them to the computer at this IP, they’ll know what to do with it.”

emptiestplace , 2 months ago (edited 2 months ago)

This is really good, I just want to clarify one thing:

there are specific protocols that are traditionally used on those specific ports

Protocols are not ‘used on ports’, it’s actually the other way around: TCP and UDP are both protocols operating on top of IP, each with its own set of ports to help direct traffic, exactly as you explained.

There are other protocols, like ICMP or GRE, that exist quite happily without knowing anything about ports (ICMP has types and codes, GRE doesn’t).

Edit: I suppose it is actually a bit ambiguous because we also refer to applications (HTTPS, telnet) as protocols. I’m not sure if there is a standard way to differentiate when discussing other than just saying transport layer protocol / application layer protocol.

teawrecks , 2 months ago

Yeah, didn’t want to dig deep in the interest of brevity, but I didn’t want to say that specific applications use those ports, even though I already said that ports in general are for applications. You can use whatever ftp, ssh, or http server you want as long as they “speak” the expected protocol.

JoeBidet , 2 months ago

“porte” in French means a door.

Imagine each port is a door, all neatly aligned… some of them can be opened and lead to something… (a service)

Deez , 2 months ago

And when you go through the door, you must know the language to speak (the protocol) or you may be told to leave or ignored.

JoeBidet , 2 months ago

yeah you need to know the password or secret handshake (like a protocol handshake) to be let in! :)

lolcatnip , 2 months ago

Without invoking any analogies, a port is just a number. When an application on your computer sends or receives data, there is a port number associated with it. A server-side application listens for data with a particular port number, and a client side application needs to send data with the same port number to communicate with the right server application. The operating system uses the port number to route incoming data to the right application, and it ensures that only one application at a time can use any given port number.

Some port numbers are assigned to specific protocols (by IANA, I believe), like 80 for HTTP and 443 for HTTPS, so when you see a URL, the default port is usually implied by the protocol, but it can always be specified. For instance, google.com is equivalent to google.com:443. For more obscure protocols without assigned port numbers, you’ll usually see the port number in a URL, and this tends to happen in the same scenarios where you don’t have a domain name, so you’ll also see an IP address in a URL. It also happens when you need to run more than one of the same kind of server on a single machine. For example, when developing an HTTP server app, it’s customary to use port 8080 or 8888 to distinguish it from the “official” server app on the same machine using port 80, so your development server app will have a URL that looks like 192.168.0.1:8080.

Typically ports 0-1023 are reserved by the operating system for programs set up by an administrator, and ports starting at 1024 up to a maximum of 65535 are available to any user, so they’re perfect for, say, a Jellyfin server or an app you’re developing. If someone gives you a URL with a port number, especially if it’s above 1023, make sure you trust the owner of the URL, because it can be a giveaway that someone is doing something shady.

HottieAutie , 2 months ago

Think of the Internet as being able to send opened letters with a destination address and return address. Anyone that handles the letter to help deliver it can see what it says, who’s sending it, and where it’s going.

A VPN is like asking a company to help you transmit the letter with more privacy. The VPN creates a secret code between you and the VPN, so that only you two understand what is in the letter. Then, the VPN communicates with whomever while not sharing your identity so that no one knows who you are unless you specifically tell them in the letter.

Say you want to know what the symptoms you’re experiencing after a sexual encounter are, but you’re embarrassed and don’t want anyone to suspect anything in case it’s nothing. You tell your VPN you want to send a letter to the medical info center. The VPN tells you to use a code that was created automatically so that no one knows what it means besides you and their code machine, and was sent to you earlier when you signed up for their service or at a regular update. “Use code 5 we sent you last week.” You write the letter and address in code 5, then address it in normal language to the VPN, sending it via the mail system. The VPN machine translates the code to normal language but changes the return address to its own address. The medical info center receives a letter saying that the VPN wants to know the info you requested, so they respond. The VPN receives the info, translates it back to code 5, and sends the info to you.

As far as everyone in the mail system is concerned, you sent and received info from the VPN, but only you know what it was because the mail system couldn’t understand it, and the VPN handled it through an automated machine. The medical mail system and medical info center then knows what the letter said, but thinks the VPN requested that info, so they don’t know it was you. Since the VPN handles tons of mail, no one knows who is requesting what specific info through the VPN.

Note: This assumes the VPN doesn’t keep logs. Some VPNs might actually track what you send, so they could keep track of your messages. That’s why people that value privacy recommend to use VPNs that don’t keep logs.

bruhduh , 2 months ago (edited 2 months ago)

www.youtube.com/watch?v=3kfO61Mensg

shadowintheday2 , 2 months ago

IP is like an address to a big skyscraper where a company operates. You are the delivery man and must go to 201.154.76.19 and deliver something. When you get at the reception, you tell them you have a package to deliver to Mrs HTTPS, at room (port) 443. Since Mrs HTTPS is well known and has cleared your entry before, you’re allowed to enter this room and only this room.

If you were to get at the same address and try to access other rooms you would either get refused because they are closed, or if open, someone would specifically need to be in the room so you can deliver something

Malicious actors that wanted access to the building could try to disguise their deliveries and enter the building, that’s why the default policy of most firewalls is “reject” and you specifically need to open a port and have a program listening to it if you want incoming connections.

cygon , 2 months ago (edited 2 months ago)

When you have a bunch of computers networked, each of them is assigned a unique number, so when other computers send data on the wire, they can say who it is meant for (imagine each blurb of data starting out like: “yo, I’m sending these next 500 bytes for computer 0A123FBC32, here they come”).

Now the right computer will listen, but it doesn’t know what program the data is for - is it a chunk of a file your browser is downloading? Or the email your email app wants to display? Or perhaps a join request from your buddy’s computer for the Minecraft game you’re hosting?

So in addition to the unique number of the target computer, the data also specifies a “port number”, which tells the computer which of its running programs the data is meant for (programs ask the computer’s operating system: “if any network data arrives on port XY, give it to me”). Some ports have become standards - for example, a program that serves web pages to other computers would typically ask the operating system that any data arriving on the computer that indicates port numbers 80 and 443 should be given to it, and when a web browser wants to fetch a web page, it will send a request to the computer serving the page, defaulting to port 80 o 443.

If you dig deeper, you’ll find that there are even more unique numbers involved and routers/firewalls let data through not only by port number but also by distinguishing between data that is the initial request to another computer’s port number and data that is an answer to an earlier seen request – and more.

joshcodes , 2 months ago

This is a great explanation, pretty much what I would have said

HottieAutie , 2 months ago

This is the first time I understand ports in networking. Thank you!

Galli , 2 months ago

https://hexbear.net/pictrs/image/0bc1e85f-99d6-4d60-ba35-3a5654b17808.jpeg

The top cat uses ports to sort messages based on application.

https://hexbear.net/pictrs/image/a95adffd-de17-4cfc-abb4-9e57e34b9d08.jpeg

Think pigeon holes, applications usually use protocols which are assigned a number by convention. The application gets it’s message out of it’s assigned ports instead of having to sort through all the messages.

WolfLink , 2 months ago

The short answer is, when your computer sends a message over the network, the IP address specifies which computer should receive the message, and the port specifies which program should receive the message.