Subnetcalculator

TCP Port Checker

Check whether a TCP port is open, closed, or filtered on any public host. Instantly verify firewall rules, service availability, and network accessibility.

Open / Closed / Filtered

See exactly whether the port accepts connections or is blocked by a firewall

Any TCP Port

Test any port 1–65535 — SSH, HTTP, database, custom services

External Perspective

Check from outside your network — confirms what external users actually see

TCP Port Checker

Check whether a TCP port is open on any public host. Useful for verifying firewall rules, server accessibility, and service availability.

TCP connection attempt with a 5-second timeout. Check runs from the server, not your browser.

Common Ports

Well-Known Port Numbers Reference

Port Service Description
20–21 FTP File Transfer Protocol — data (20) and control (21)
22 SSH Secure Shell — encrypted remote terminal access
23 Telnet Unencrypted remote terminal (deprecated — use SSH)
25 SMTP Email delivery between servers
53 DNS Domain Name System — UDP and TCP
80 HTTP Unencrypted web traffic
110 POP3 Post Office Protocol — retrieve email
143 IMAP Internet Message Access Protocol — email
443 HTTPS Encrypted web traffic (TLS)
465 SMTPS SMTP with implicit TLS (email submission)
587 SMTP submission Recommended port for email client submission
993 IMAPS IMAP with TLS
995 POP3S POP3 with TLS
3306 MySQL MySQL / MariaDB database
5432 PostgreSQL PostgreSQL database
6379 Redis Redis in-memory data store
8080 HTTP alt Common alternative port for HTTP services
8443 HTTPS alt Common alternative port for HTTPS
27017 MongoDB MongoDB document database

How TCP Port Checking Works

A TCP port check performs a three-way handshake: the checker sends a SYN packet to the target host and port. Three outcomes are possible:

Open

Host replies with SYN-ACK. A service is listening and the firewall permits the connection. The check immediately sends RST to close gracefully.

Closed (Refused)

Host replies with RST. The host is reachable but no service is listening on that port. No firewall is blocking — the connection just has nothing to connect to.

Filtered (Timeout)

No response received. A firewall, security group, or ACL silently drops the SYN packet. The host may be up — the traffic just never reaches it.

Common Troubleshooting Flow

  1. Use Ping first — if it fails, the host may be down or blocking ICMP
  2. If ping succeeds but port times out, the firewall is filtering that port
  3. If port is refused, the service isn't running — check the process and config
  4. Use Traceroute to see where packets stop if the host seems unreachable

Frequently Asked Questions

What does 'port open' mean?

A port is open when a TCP connection can be established — the target host accepted the connection. This means a service is actively listening on that port and the firewall allows the traffic through. Open does not mean the service is necessarily healthy or authenticated, only that the TCP handshake succeeded.

What does 'port closed' mean vs 'filtered'?

Closed means the host sent a TCP RST (reset) packet, actively refusing the connection. The port is reachable but no service is listening. Filtered (shown as timeout) means no response arrived — the packet was silently dropped by a firewall or access control list. The distinction matters: closed means the host is up, filtered means a firewall is in the path.

Why is port 25 often closed even on mail servers?

Most ISPs and cloud providers block outbound port 25 to prevent spam. Email servers receive inbound mail on port 25 but clients should submit email using port 587 (SMTP submission with authentication). If you are setting up a mail server, check that your hosting provider allows inbound port 25 from other mail servers.

How is this different from nmap?

Nmap is a powerful local tool that can scan many ports simultaneously, detect OS and services, and use various techniques. This tool checks a single port from the server side using a simple TCP connect — useful for quick verification without installing software. For comprehensive security scanning of your own infrastructure, use nmap locally.

Can I use this to scan someone else's server?

This tool only makes a standard TCP connection attempt — the same as any normal network request. You should only test ports on hosts you own or have permission to test. Unauthorized port scanning may violate terms of service or local laws.

What is a well-known port vs an ephemeral port?

Well-known ports are 0–1023, assigned by IANA to standard services (SSH=22, HTTP=80, HTTPS=443). Registered ports are 1024–49151, assigned to specific applications. Ephemeral ports are 49152–65535, used temporarily by clients for outbound connections. When you open a webpage, your browser uses a random ephemeral port as the source and connects to the server's port 443.

Related Network Tools