Maybe think of it like one of those big walls of post office mailboxes…behind the wall is your computer and an app might be waiting for a message at box 22 or box 45678. You could close all the boxes and nothing could get in, or you could open one or all of them and allow people to deliver messages to them.

If you connect your computer directly to the internet, anyone who knows your IP address could say 'deliver message X to port 22 at ip address <your ip address> and the program watching that box would get the message.

If you put a router in the mix, and multiple computers, the router has the same block of boxes, but if someone sends a message to one of the boxes it just sets there. If you set up ‘forwarding’, sending a message to your ip address gets the message to the router, but if you forward box 22 from your router to a specific computer on your network, then the router takes a message at box 22 on itself and ‘forwards’ it to box 22 on whatever computer you specific (using internal ip addresses).

You could map box 22 on your router to any other box on your computer…like port 22 coming into your router might get sent to port 155 on your computer…this is useful if you don’t want external people just exploring and lazily breaking into your computer using known vulnerabilities. Lots of ports are ‘common’, so an ftp hack on port 22 is easy, and might be ‘slightly’ harder if you tell your computer to actually look for ftp traffic on port 3333 or something.

A “port” is just a number that gets assigned to network messages to differentiate targets within the same IP address.

One program is “listening on port 1”, which means it has told the operating system “anything labeled port 1, send it to me”.

It’s sort of like saying “attention: Joe” versus “attention: Sue” on an address. Same address, same building, but that “attention” line means to put it on Joe’s desk inside the building.

Except instead of “attention: Joe”, it’s just “attention: 22”. A numerical code that represents a “mailbox” inside the computer.

A port is basically what it sounds like, a hole in your network to allow traffic to get to your pc

When you forward a port you send all traffic trying to get into that port to the computer you configure it to forward to. I believe forwarding and opening are synonymous, I’m sure someone will correct me if I’m wrong

There are two protocols for transmitting data you can open/close individually, TCP and UDP. Depends on the application, some want one, some want the other, some can use either or some want both

Opening ports allows anyone with your IP address to get at your computer, which means they have a chance to exploit any vulnerabilities there might be in your os, networking stack, software etc, so generally it’s a good idea not to leave them open unless absolutely necessary

Personally I use tailscale to get around having to open ports, makes it as if they’re all on the same network

Imagine your computer is a big block of flats and your applications are all people who live in the building.

Mail sent to the building address alone isn’t going to reach the intended recipient, because the postman doesn’t know what flat to post it to. So they need additional information such as ‘Flat 2C’

That’s the basic concept of ports. It’s basically additional addressing information to allow your computer to direct internet traffic to the correct applications.

When an application is actively listening on a port, it means that they are keeping an eye out for messages addressed to them, as designated by the port number. While an application is sending or receiving messages using a given port number, that port number is considered ‘open’.

Now, all sorts of applications do all sorts of things. Some are for the public to use and there are some that are useful within trusted circles, but can be abused by malicious people if anyone in the world can send messages to it. Thus, we have a firewall, which acts as a gatekeeper. A firewall can ‘block’ a port, denying access to a given group of people, or ‘unblock’ it, allowing access.

VPNs are a totally different thing. They are literally middlemen for your internet traffic. Instead of directly posting a message to somewhere and receiving a direct reply back, imagine you flew out to Italy to use a post box there and receive replies from there.

Let’s say you want to talk to your friend. You have several protocols, Phone, Mail, Email, SMS, or maybe something stranger, like smoke signals or memes. Each protocol needs a different port.

Your friend doesn’t answer phone calls or check VMs. The ‘port’ for phone calls is blocked. Nothing gets in through here.

Your friend only accepts email from certain addresses, like protonmail. This port is filtered. Only known things get in through here.

Your friend accepts any texts if they begin with the secret pass phrase. This port is open and filtered. Few unknown things get in through here.

Your friend accepts all postage. This port is open. Anything can get in through here. HTTP or HTTPS, your browser.

The VPN is sort of like an opaque tunnel you run from your house alongside public roads to some place you feel safe exiting, And then the usual steps in communicating. All of the communication has to go through the exit point back to the house.

If this kind of thing interests you, have a basic book for free. https://open.umn.edu/opentextbooks/textbooks/353

deleted by creator

“porte” in French means a door.

Imagine each port is a door, all neatly aligned… some of them can be opened and lead to something… (a service)

Without invoking any analogies, a port is just a number. When an application on your computer sends or receives data, there is a port number associated with it. A server-side application listens for data with a particular port number, and a client side application needs to send data with the same port number to communicate with the right server application. The operating system uses the port number to route incoming data to the right application, and it ensures that only one application at a time can use any given port number.

Some port numbers are assigned to specific protocols (by IANA, I believe), like 80 for HTTP and 443 for HTTPS, so when you see a URL, the default port is usually implied by the protocol, but it can always be specified. For instance, https://google.com is equivalent to https://google.com:443. For more obscure protocols without assigned port numbers, you’ll usually see the port number in a URL, and this tends to happen in the same scenarios where you don’t have a domain name, so you’ll also see an IP address in a URL. It also happens when you need to run more than one of the same kind of server on a single machine. For example, when developing an HTTP server app, it’s customary to use port 8080 or 8888 to distinguish it from the “official” server app on the same machine using port 80, so your development server app will have a URL that looks like http://192.168.0.1:8080.

Typically ports 0-1023 are reserved by the operating system for programs set up by an administrator, and ports starting at 1024 up to a maximum of 65535 are available to any user, so they’re perfect for, say, a Jellyfin server or an app you’re developing. If someone gives you a URL with a port number, especially if it’s above 1023, make sure you trust the owner of the URL, because it can be a giveaway that someone is doing something shady.

A port is a convenience wrapper for the application space. That’s really it. The networking stack delivers messages to the host, and then the kernel uses ports to distribute messages from there. Otherwise every application would need to parse out every network (or local) payload to determine if it is relevant or not. This obviously ends up with a lot of duplicate processing, thus port routing instead.