Introduction to firewalls in Linux
In this publication, I present practical information about three most commonly used tools for managing network firewalls in Linux systems: firewalld, ufw, and iptables.
Below you'll find a list of Well-known ports, and at the very end several methods useful for analyzing both local and remote ports.
In the Tools section, you'll find ready-made tools for generating commands for your own needs.
Enjoy!
firewall-cmd (firewalld)
firewalld is used by default in Red Hat-based distributions (RHEL, CentOS, Fedora, AlmaLinux, Rocky).
Port management
Allow on port
Blocking port
Opening a range of ports
Activation of changes
Service management
List available services
Permitting a service
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=ssh --permanent
Blocking a service
Managing zones
List available zones
Check active zones
Set default zone
Add interface to a zone
List all rules in a zone
Forwarding ports
Forwarding a port to another port on the same host
Forwarding a port to a specific IP address
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.10 --permanent
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.10 --permanent
Rules for specific addresses/networks
Allowing access to a port only from a specific address/network
Blocking access to a port from a specific address/network
Rich rules
Note
Rich rules are ideal when you need more granularity than simple firewalld rules offer. While their syntax is slightly more complex, they allow you to customize your firewall to meet your system's specific security requirements.
Want to monitor who's trying to connect to your SSH server from a specific IP - without blocking or accepting yet? Logs will be in journald or /var/log/messages
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.42" port port=22 protocol=tcp log prefix="SSH Attempt: " level="info"'
Blocking access to a port from a specific address/network
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=80 protocol=tcp reject' --permanent
Allowing access to a port from a specific address/network with rate limiting
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=80 protocol=tcp accept limit value="3/m"' --permanent
ufw (Uncomplicated Firewall)
UFW is a user-friendly interface for managing iptables, commonly used in Ubuntu and Debian-based distributions.
Basic commands
Status check
On/Off
Resetting UFW to default settings
Port management
Allowing a port
Blocking a port
Allowing a range of ports
Deleting a rule by number
Service management
Allowing a service
Blocking a service
Rules for specific addresses/networks
Allowing access to a port from a specific address/network
Blocking access to a port from a specific address/network
Rules for specific interfaces
Allowing access through a specific interface
Blocking access through a specific interface
Traffic direction
Allowing incoming traffic on a port
Blocking outgoing traffic on a port
Logging
By default in /var/log/ufw.log, if this file doesn't exist make sure rsyslog is running and add a rule in /etc/rsyslog.d/:
Enable logging
Disable logging
iptables
iptables is a low-level tool for configuring firewalls in Linux.
Basic commands
Show all rules
List rules for a specific chain
Saving and restoring rules
Default policies
Set default policy (DROP, ACCEPT, REJECT)
Port management
Allowing a port
Blocking a port
Allowing a range of ports
Rules for specific addresses/networks
Allowing access from a specific address/network
Blocking access from a specific address/network
Allow to addresss and port
Rules for specific interfaces
Allowing access through a specific interface
Blocking access through a specific interface
Allowing access to a specific port on a specific interface
Connection tracking
Allowing established connections
Blocking new connections
Rate limiting
To prevent DoS attacks, you can limit the number of connections per second:
Security rule to block packets with both SYN and FIN flags set, which is unusual in normal TCP communication:
Why is this rule used?
The combination of SYN and FIN flags in a single TCP packet is unnatural in normal communication: - SYN (Synchronize) initiates a connection (3-way handshake) - FIN (Finish) terminates a connection
In standard TCP operation, these flags don't occur together. Such packets may indicate:
- malicious network scanning (e.g., system fingerprinting attempts)
- errors in TCP stack implementation
- stealth scanning attacks
NAT and port forwarding
Port forwarding (DNAT)
Masquerading (SNAT)
Rules management
Adding a rule at the beginning of a chain
Deleting a rule by number
Deleting a specific rule
Flushing all rules
Flushing a specific chain
IPv6
For managing IPv6 rules, use ip6tables, which has a similar syntax to iptables.
Well-Known ports
Below is a list of well-known ports (port numbers 0-1023) and popular registered ports (1024-49151) that are frequently used in computer networks.
Well-known ports (0-1023)
| Port | Protocol | Service | Description |
|---|---|---|---|
| 0 | TCP/UDP | Reserved | Reserved port, should not be used |
| 1 | TCP/UDP | TCPMUX | TCP Port Service Multiplexer |
| 5 | TCP/UDP | RJE | Remote Job Entry |
| 7 | TCP/UDP | ECHO | Echo Protocol (echo service) |
| 9 | TCP/UDP | DISCARD | Discard Protocol (null service) |
| 11 | TCP/UDP | SYSTAT | System Status Protocol |
| 13 | TCP/UDP | DAYTIME | Daytime Protocol (day and time) |
| 17 | TCP/UDP | QOTD | Quote of the Day |
| 18 | TCP/UDP | MSP | Message Send Protocol |
| 19 | TCP/UDP | CHARGEN | Character Generator Protocol |
| 20 | TCP | FTP-DATA | File Transfer Protocol (data) |
| 21 | TCP | FTP | File Transfer Protocol (control flow) |
| 22 | TCP/UDP | SSH | Secure Shell Protocol |
| 23 | TCP | TELNET | Telnet Protocol |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol |
| 26 | TCP/UDP | RSFTP | RSFTP |
| 37 | TCP/UDP | TIME | Time Protocol |
| 39 | TCP/UDP | RLP | Resource Location Protocol |
| 42 | TCP/UDP | NAMESERVER | Host Name Server Protocol |
| 43 | TCP | NICNAME | WHOIS Protocol |
| 49 | TCP/UDP | TACACS | Terminal Access Controller Access-Control System |
| 50 | TCP/UDP | RE-MAIL-CK | Remote Mail Checking Protocol |
| 53 | TCP/UDP | DNS | Domain Name System |
| 67 | UDP | BOOTPS | Bootstrap Protocol Server (DHCP) |
| 68 | UDP | BOOTPC | Bootstrap Protocol Client (DHCP) |
| 69 | UDP | TFTP | Trivial File Transfer Protocol |
| 70 | TCP | GOPHER | Gopher Protocol |
| 79 | TCP | FINGER | Finger Protocol |
| 80 | TCP | HTTP | Hypertext Transfer Protocol |
| 81 | TCP | HOSTS2-NS | HOSTS2 Name Server |
| 82 | TCP/UDP | XFER | XFER Utility |
| 83 | TCP | MIT-ML-DEV | MIT ML Device |
| 88 | TCP/UDP | KERBEROS | Kerberos Authentication |
| 95 | TCP | SUPDUP | SUPDUP Protocol |
| 101 | TCP | HOSTNAME | NIC Host Name Server |
| 102 | TCP | ISO-TSAP | ISO-TSAP Protocol |
| 104 | TCP/UDP | ACRNEMA | ACR-NEMA Digital Imaging and Communications in Medicine |
| 107 | TCP | RTelnet | Remote Telnet |
| 109 | TCP | POP2 | Post Office Protocol v2 |
| 110 | TCP | POP3 | Post Office Protocol v3 |
| 111 | TCP/UDP | SUNRPC | Sun Remote Procedure Call |
| 113 | TCP | IDENT | Authentication Service/Identification Protocol |
| 115 | TCP | SFTP | Simple File Transfer Protocol |
| 117 | TCP | UUCP-PATH | UUCP Path Service |
| 118 | TCP/UDP | SQL-NET | SQL Services |
| 119 | TCP | NNTP | Network News Transfer Protocol |
| 123 | UDP | NTP | Network Time Protocol |
| 135 | TCP/UDP | EPMAP | DCE endpoint resolution |
| 137 | TCP/UDP | NETBIOS-NS | NetBIOS Name Service |
| 138 | UDP | NETBIOS-DGM | NetBIOS Datagram Service |
| 139 | TCP | NETBIOS-SSN | NetBIOS Session Service |
| 143 | TCP | IMAP | Internet Message Access Protocol |
| 152 | TCP/UDP | BFTP | Background File Transfer Program |
| 153 | TCP/UDP | SGMP | Simple Gateway Monitoring Protocol |
| 156 | TCP/UDP | SQL-SERVER | SQL Service |
| 158 | TCP/UDP | DMSP | Distributed Mail Service Protocol |
| 161 | UDP | SNMP | Simple Network Management Protocol |
| 162 | TCP/UDP | SNMPTRAP | Simple Network Management Protocol Trap |
| 170 | TCP | PRINT-SRV | Network PostScript |
| 177 | TCP/UDP | XDMCP | X Display Manager Control Protocol |
| 179 | TCP | BGP | Border Gateway Protocol |
| 194 | TCP/UDP | IRC | Internet Relay Chat |
| 199 | TCP/UDP | SMUX | SNMP Unix Multiplexer |
| 201 | TCP/UDP | APPLIX | Applix ac |
| 209 | TCP/UDP | QMTP | Quick Mail Transfer Protocol |
| 210 | TCP/UDP | Z39.50 | ANSI Z39.50 |
| 213 | TCP/UDP | IPX | Internetwork Packet Exchange |
| 220 | TCP/UDP | IMAP3 | Interactive Mail Access Protocol v3 |
| 245 | TCP/UDP | LINK | LINK Protocol |
| 311 | TCP | ASIP-WEBADMIN | AppleShare IP WebAdmin |
| 318 | TCP/UDP | TSP | Time Stamp Protocol |
| 319 | UDP | PTP-EVENT | Precision Time Protocol (PTP) - Event |
| 320 | UDP | PTP-GENERAL | Precision Time Protocol (PTP) - General |
| 350 | TCP/UDP | MATIP-TYPE-A | Mapping of Airline Traffic over IP, Type A |
| 351 | TCP/UDP | MATIP-TYPE-B | Mapping of Airline Traffic over IP, Type B |
| 366 | TCP/UDP | ODMR | On-Demand Mail Relay |
| 369 | TCP/UDP | RPC2PORTMAP | Coda portmapper |
| 370 | TCP/UDP | CODAAUTH2 | Coda authentication server |
| 371 | TCP/UDP | CLEARCASE | Clearcase |
| 383 | TCP/UDP | HP-ALARM-MGR | HP performance data alarm manager |
| 384 | TCP/UDP | ARNS | A Remote Network Server System |
| 387 | TCP/UDP | AURP | AppleTalk Update-based Routing Protocol |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access Protocol |
| 399 | TCP/UDP | ISO-TSAP-C2 | ISO Transport Class 2 Non-Control over TCP |
| 401 | TCP/UDP | UPS | Uninterruptible Power Supply |
| 427 | TCP/UDP | SLP | Service Location Protocol |
| 443 | TCP/UDP | HTTPS | HTTP Secure (HTTP over TLS/SSL) |
| 444 | TCP/UDP | SNPP | Simple Network Paging Protocol |
| 445 | TCP | MICROSOFT-DS | Microsoft-DS (Direct Hosting of SMB) |
| 464 | TCP/UDP | KPASSWD | Kerberos Change/Set password |
| 465 | TCP | SMTPS | SMTP over TLS/SSL |
| 475 | TCP | TCF | TCF |
| 500 | UDP | ISAKMP | Internet Security Association and Key Management Protocol |
| 502 | TCP/UDP | MODBUS | Modbus Protocol |
| 512 | TCP | EXEC | Remote Process Execution |
| 512 | UDP | COMSAT | COMSAT |
| 513 | TCP | LOGIN | Remote Login (rlogin) |
| 513 | UDP | WHO | Who service |
| 514 | TCP | SHELL | Remote Shell (rsh) |
| 514 | UDP | SYSLOG | Syslog service |
| 515 | TCP | PRINTER | Line Printer Daemon (LPD) |
| 517 | UDP | TALK | Talk |
| 518 | UDP | NTALK | Network Talk |
| 520 | UDP | RIP | Routing Information Protocol |
| 520 | TCP | EFS | Extended File Name Server |
| 521 | UDP | RIPng | RIP for IPv6 |
| 524 | TCP/UDP | NCP | NetWare Core Protocol |
| 525 | UDP | TIMED | Time Daemon |
| 530 | TCP/UDP | COURIER | Courier Remote Procedure Call |
| 531 | TCP/UDP | CONFERENCE | Chat |
| 532 | TCP | NETNEWS | Netnews |
| 533 | UDP | NETWALL | For emergency broadcasts |
| 540 | TCP | UUCP | UUCP Daemon |
| 542 | TCP/UDP | COMMERCE | Commerce Applications |
| 543 | TCP | KLOGIN | Kerberos Login |
| 544 | TCP | KSHELL | Kerberos Remote Shell |
| 546 | TCP/UDP | DHCPv6-CLIENT | DHCPv6 Client |
| 547 | TCP/UDP | DHCPv6-SERVER | DHCPv6 Server |
| 548 | TCP | AFP | Apple Filing Protocol |
| 550 | TCP/UDP | NEW-RWHO | new-who |
| 554 | TCP/UDP | RTSP | Real Time Streaming Protocol |
| 556 | TCP | REMOTEFS | Brunhoff's Remote File System |
| 560 | UDP | RMONITOR | Remote Monitor |
| 561 | UDP | MONITOR | Monitor |
| 563 | TCP/UDP | NNTPS | NNTP over TLS/SSL |
| 565 | TCP/UDP | WHOAMI | whoami |
| 569 | TCP | MSN | Microsoft Network |
| 587 | TCP | SUBMISSION | Message Submission Agent (MSA) |
| 593 | TCP/UDP | HTTP-RPC-EPMAP | HTTP RPC Ep Map |
| 631 | TCP/UDP | IPP | Internet Printing Protocol |
| 635 | TCP/UDP | RLZ-DBase | RLZ DBase |
| 636 | TCP/UDP | LDAPS | LDAP over TLS/SSL |
| 639 | TCP/UDP | MSDP | Multicast Source Discovery Protocol |
| 641 | TCP/UDP | SUPFILESRV | Support File Service |
| 643 | TCP/UDP | SUPSRVR | Support Service |
| 646 | TCP | LDP | Label Distribution Protocol |
| 647 | TCP | DHCP-FAILOVER | DHCP Failover |
| 648 | TCP | RRP | Registry Registrar Protocol |
| 651 | TCP | IEEE-MMS | IEEE MMS |
| 653 | TCP | SPOOLER | Spooler |
| 654 | TCP | SNPP | Simple Network Paging Protocol |
| 655 | TCP | TINC | TINC |
| 657 | TCP | RMC | RMC |
| 660 | TCP | MAC-SRVR-ADMIN | MacOS Server Admin |
| 666 | TCP | DOOM | Doom (game) |
| 674 | TCP | ACAP | Application Configuration Access Protocol |
| 688 | TCP | REALM-RUSD | ApplianceWare Server Appliance Management Protocol |
| 690 | TCP/UDP | NMAP | NMAP - Network Mapper |
| 691 | TCP | MS-EXCHANGE | MS Exchange Routing |
| 694 | UDP | LINUX-HA | Linux-HA (Heartbeat) |
| 695 | TCP/UDP | IEEE-MMS-SSL | IEEE-MMS-SSL |
| 700 | TCP | EPP | Extensible Provisioning Protocol |
| 701 | TCP | LMP | Link Management Protocol |
| 702 | TCP | IRIS-BEEP | IRIS over BEEP |
| 706 | TCP | SILC | Secure Internet Live Conferencing |
| 711 | TCP | CISCO-TDP | Cisco Tag Distribution Protocol |
| 712 | TCP | TBRPF | Topology Broadcast based on Reverse-Path Forwarding Protocol |
| 749 | TCP/UDP | KERBEROS-ADM | Kerberos administration |
| 750 | UDP | KERBEROS-IV | Kerberos version IV |
| 751 | TCP/UDP | KERBEROS-MASTER | Kerberos authentication |
| 752 | UDP | PASSWD-SERVER | Kerberos Password (kpasswd) Server |
| 753 | UDP | USERREG-SERVER | Kerberos userreg server |
| 754 | TCP/UDP | TELL | send |
| 760 | TCP | NS | Kerberos replica propagation |
| 782 | TCP | CONSERVER | Conserver serial-console management server |
| 783 | TCP | SPARTA-RPC | SPARTA, unregistered |
| 829 | TCP | CMP | Certificate Management Protocol |
| 853 | TCP/UDP | DNS-OVER-TLS | DNS over TLS/SSL |
| 873 | TCP | RSYNC | rsync File Synchronization Protocol |
| 901 | TCP | SWAT | Samba Web Administration Tool |
| 902 | TCP | VMWARE | VMware Server Console |
| 903 | TCP | ISCSI-TARGET | iSCSI Target |
| 989 | TCP/UDP | FTPS-DATA | FTP data over TLS/SSL |
| 990 | TCP/UDP | FTPS | FTP control over TLS/SSL |
| 991 | TCP/UDP | NAS | Netnews Administration System |
| 992 | TCP/UDP | TELNETS | Telnet over TLS/SSL |
| 993 | TCP | IMAPS | IMAP over TLS/SSL |
| 994 | TCP | IRCS | IRC over TLS/SSL |
| 995 | TCP | POP3S | POP3 over TLS/SSL |
| 1023 | TCP/UDP | Reserved | Reserved |
Selected popular registered ports (1024-49151)
| Port | Protocol | Service | Description |
|---|---|---|---|
| 1080 | TCP | SOCKS | SOCKS Proxy |
| 1099 | TCP | RMI | Java Remote Method Invocation (RMI) |
| 1194 | TCP/UDP | OpenVPN | OpenVPN |
| 1270 | TCP/UDP | MSCLIENTADMIN | Microsoft Client Administrator |
| 1311 | TCP | RXP | RXP - Dell Remote Access |
| 1352 | TCP | LOTUSNOTES | Lotus Notes/Domino |
| 1433 | TCP | MS-SQL-S | Microsoft SQL Server |
| 1434 | UDP | MS-SQL-M | Microsoft SQL Monitor |
| 1512 | TCP/UDP | WINS | Microsoft Windows Internet Name Service |
| 1521 | TCP | ORACLE | Oracle database default listener |
| 1525 | TCP | PROSPERO | Prospero Directory Service |
| 1526 | TCP | PROSPERO-NP | Prospero Non-Privileged |
| 1527 | TCP | TLISRV | Oracle TLI Service |
| 1533 | TCP | SAMSG | Microsoft SQL Server Administrator |
| 1645 | UDP | SIGHTLINE | Sightline |
| 1646 | UDP | SIGHTLINE | Sightline |
| 1649 | TCP | KERMIT | Kermit |
| 1677 | TCP/UDP | GROUPWISE | Novell GroupWise |
| 1701 | UDP | L2TP | Layer 2 Tunneling Protocol |
| 1716 | TCP | MITU | Microsoft Interactive Training |
| 1719 | UDP | H323GATESTAT | H.323 Gatekeeper Status |
| 1720 | TCP | H323HOSTCALL | H.323 Call Signaling |
| 1723 | TCP/UDP | PPTP | Point-to-Point Tunneling Protocol |
| 1755 | TCP/UDP | MMS | Microsoft Media Services |
| 1761 | TCP | LANDESK-RC | LANDesk Remote Control |
| 1812 | TCP/UDP | RADIUS | RADIUS authentication protocol |
| 1813 | TCP/UDP | RADIUS-ACCT | RADIUS accounting protocol |
| 1863 | TCP | MSNP | Microsoft Notification Protocol (MSN Messenger) |
| 1883 | TCP/UDP | MQTT | Message Queuing Telemetry Transport |
| 1900 | UDP | SSDP | Simple Service Discovery Protocol |
| 1935 | TCP | RTMP | Real Time Messaging Protocol |
| 2000 | TCP/UDP | CISCO-SCCP | Cisco SCCP/Skinny |
| 2049 | TCP/UDP | NFS | Network File System |
| 2082 | TCP | CPANEL | cPanel default |
| 2083 | TCP | CPANEL-SSL | cPanel default SSL |
| 2086 | TCP | WEBHOST | Web Host Manager default |
| 2087 | TCP | WEBHOST-SSL | Web Host Manager default SSL |
| 2095 | TCP | WEBMAIL | cPanel Webmail |
| 2096 | TCP | WEBMAIL-SSL | cPanel Webmail SSL |
| 2181 | TCP | ZOOKEEPER | Apache ZooKeeper client |
| 2220 | TCP | NETIQ | NetIQ |
| 2222 | TCP | DIRECTADMIN | DirectAdmin default |
| 2375 | TCP | DOCKER | Docker REST API (unencrypted) |
| 2376 | TCP | DOCKER-S | Docker REST API (SSL) |
| 2377 | TCP | DOCKER-SWARM | Docker Swarm cluster management |
| 2483 | TCP | ORACLE-DB | Oracle DB default listener (TCP/IP v2) |
| 2484 | TCP | ORACLE-DB-SSL | Oracle DB default listener SSL |
| 2638 | TCP | SYBASE | Sybase database server |
| 3000 | TCP | NTOP | ntop web interface |
| 3001 | TCP | NESSUS | Nessus Security Scanner |
| 3128 | TCP | SQUID | Squid Web Proxy |
| 3260 | TCP | ISCSI | iSCSI target |
| 3268 | TCP | MSFT-GC | Microsoft Global Catalog |
| 3269 | TCP | MSFT-GC-SSL | Microsoft Global Catalog over SSL |
| 3306 | TCP | MYSQL | MySQL database system |
| 3333 | TCP | DEC-NOTES | DEC Notes |
| 3389 | TCP/UDP | MS-RDP | Microsoft Remote Desktop Protocol |
| 3690 | TCP | SVN | Subversion Version Control System |
| 3724 | TCP/UDP | BLIZZARD | Blizzard Games |
| 3872 | TCP | ORACLE-NET | Oracle Net Services |
| 4000 | TCP/UDP | DICOM | Medical Digital Imaging |
| 4040 | TCP | H225 | H.225 |
| 4200 | TCP | VNC | Virtual Network Computing |
| 4369 | TCP/UDP | EPMD | Erlang Port Mapper Daemon |
| 4443 | TCP | PHAROS | Pharos |
| 4444 | TCP | KRSD | Kerberos Remote Setup and Administration Daemon |
| 4445 | TCP | UPNOTIFYP | UPNOTIFYP |
| 4505 | TCP | SALTSTACK | SaltStack Master |
| 4506 | TCP | SALTSTACK | SaltStack Minion |
| 4569 | UDP | IAX | Inter-Asterisk eXchange |
| 4664 | TCP | DSMS | Google Desktop Search |
| 4730 | TCP/UDP | GEARMAN | Gearman Job Server |
| 5000 | TCP | UPnP | Universal Plug and Play |
| 5001 | TCP | IPP | IPP (Internet Presence Provider) |
| 5004 | UDP | RTP | Real-time Transport Protocol (media data) |
| 5005 | UDP | RTCP | Real-time Transport Control Protocol (control info) |
| 5060 | TCP/UDP | SIP | Session Initiation Protocol |
| 5061 | TCP/UDP | SIP-TLS | Session Initiation Protocol over TLS |
| 5190 | TCP | AOL | AOL Instant Messenger |
| 5222 | TCP | XMPP | XMPP/Jabber client connection |
| 5269 | TCP | XMPP-SERVER | XMPP/Jabber server-to-server connection |
| 5353 | UDP | MDNS | Multicast DNS (Zeroconf/Bonjour) |
| 5432 | TCP | POSTGRESQL | PostgreSQL database system |
| 5433 | TCP | PYRRHO | Pyrrho DBMS |
| 5500 | TCP | VNC | Virtual Network Computing |
| 5554 | TCP | SGI-ESPHTTP | SGI ESP HTTP |
| 5631 | TCP | PCANYWHEREDATA | pcAnywhere data |
| 5632 | UDP | PCANYWHERESTAT | pcAnywhere status |
| 5672 | TCP | AMQP | Advanced Message Queuing Protocol |
| 5900 | TCP | VNC | Virtual Network Computing (VNC) display 0 |
| 5901-5903 | TCP | VNC | Virtual Network Computing (VNC) displays 1-3 |
| 5938 | TCP | TEAMVIEWER | TeamViewer remote control |
| 6000-6063 | TCP | X11 | X Window System (X11) displays 0-63 |
| 6346 | TCP/UDP | GNUTELLA | Gnutella file sharing |
| 6347 | TCP/UDP | GNUTELLA2 | Gnutella2 file sharing |
| 6379 | TCP | REDIS | Redis key-value datastore |
| 6444 | TCP | SUN-SR-HTTPS | Sun Storage and Backup |
| 6543 | TCP | MYTHTV | MythTV Backend Server |
| 6566 | TCP | SANE | SANE Network Scanner Control |
| 6660-6669 | TCP | IRC | Internet Relay Chat |
| 6881-6887 | TCP/UDP | BITTORRENT | BitTorrent |
| 6888 | TCP | MUSE | MUSE |
| 6969 | TCP | ACMSODA | acmSODA |
| 7000 | TCP | ATRCTRL | Atrctrl |
| 7001 | TCP | WEBLOGIC | WebLogic Server |
| 7002 | TCP | WEBLOGIC-SSL | WebLogic Server SSL |
| 7003 | TCP/UDP | VOLUME-CAPACITY | VERITAS Volume Manager |
| 7070 | TCP | REALSERVER | RealServer/QuickTime |
| 7100 | TCP | FONT-SERVICE | X Font Service |
| 7937 | TCP | NSREXECD | Legato NetWorker |
| 7938 | TCP | LGTOMAPPER | Legato NetWorker |
| 8000 | TCP | HTTP-ALT | Alternate HTTP port |
| 8008 | TCP | HTTP | Alternate HTTP port |
| 8009 | TCP | AJPV13 | Apache JServ Protocol |
| 8010 | TCP | XMPP | XMPP/Jabber File Transfer |
| 8080 | TCP | HTTP-PROXY | HTTP Proxy/Second Web Server |
| 8081 | TCP | HTTP-PROXY | HTTP Proxy/Second Web Server |
| 8086 | TCP | INFLUXDB | InfluxDB database system |
| 8088 | TCP | RADAN-HTTP | Radan HTTP |
| 8089 | TCP | SPLUNKD | Splunk search service |
| 8090 | TCP | OPSMESSAGING | SAP Solution Manager |
| 8140 | TCP | PUPPET | Puppet Master |
| 8191 | TCP | LIMNERPRESSURE | Limner Pressure |
| 8443 | TCP | HTTPS-ALT | Alternate HTTPS port |
| 8530 | TCP | WSUS | Windows Server Update Services |
| 8883 | TCP | SECURE-MQTT | Secure MQTT (MQTT over TLS) |
| 8888 | TCP | NewsEDGE | NewsEDGE server |
| 9000 | TCP | CSLISTENER | CSlistener |
| 9001 | TCP | TOR-ORPORT | Tor ORPort |
| 9009 | TCP | PICHAT | Pichat Server |
| 9090 | TCP | WEBSM | WebSM |
| 9091 | TCP | XMLTEC-XMLMAIL | xmltec-xmlmail |
| 9100 | TCP | JETDIRECT | HP JetDirect card |
| 9200 | TCP | ELASTICSEARCH | Elasticsearch REST API |
| 9300 | TCP | ELASTICSEARCH | Elasticsearch transport protocol |
| 9418 | TCP | GIT | Git Version Control System |
| 9443 | TCP | TUNGSTEN-HTTPS | WSO2 Tungsten HTTPS |
| 9999 | TCP | DISTINCT | Distinct |
| 10000 | TCP | WEBMIN | Webmin Administrative Interface |
| 10050 | TCP/UDP | ZABBIX-AGENT | Zabbix Agent |
| 10051 | TCP/UDP | ZABBIX-TRAPPER | Zabbix Trapper |
| 11211 | TCP/UDP | MEMCACHED | Memcached |
| 11371 | TCP | HKPV0 | OpenPGP HTTP Keyserver Protocol (HKP) |
| 12345 | TCP | NETBUS | NetBus backdoor trojan |
| 16000 | TCP | ORACLE-XE | Oracle Express Database |
| 27017-27019 | TCP | MONGODB | MongoDB database system |
| 28017 | TCP | MONGODB-WEB | MongoDB web status page |
| 32400 | TCP | PLEX | Plex Media Server |
| 33060 | TCP | MYSQLX | MySQL X Protocol |
| 33848 | TCP | JENKINS | Jenkins web interface |
Notes
- Well-known ports (0-1023) require root/administrator privileges for listening.
- Registered ports (1024-49151) are assigned by IANA upon request.
- Dynamic/private ports (49152-65535) can be used by any applications.
Useful port analysis commands
Checking open ports and listening services
Checking if a specific port is open
Scanning for open ports on a host
Listening on a specific port (netcat)
Testing connectivity to a specific port