TCP/UDP Port Validator

TCP and UDP ports: 16 bits that route every packet on the internet

A network port is a 16-bit unsigned integer that identifies a specific application endpoint on a host. Because the field has exactly 16 bits, the valid range is 0 to 65535 — any number outside that interval is, by definition, an invalid port. Together with the IP address, the port forms the socket that the operating system uses to deliver a packet to the right process. Without ports, a server with one IP address could only run a single network application at a time.

Ports exist in two parallel namespaces: TCP and UDP. They are independent: TCP port 53 (used historically for DNS zone transfers) and UDP port 53 (used for regular DNS queries) are completely separate sockets. The same logic applies to QUIC (UDP-based) and SCTP. The IANA registry, defined in RFC 6335, splits the entire 65 536-entry space into three official ranges with very different conventions.

The three IANA ranges

• 0 to 1023 — well-known (system) ports. Assigned by IANA to canonical services. On Unix-like systems they require root or the CAP_NET_BIND_SERVICE capability to bind. Classic examples: HTTP 80, HTTPS 443, SSH 22, SMTP 25, DNS 53, FTP 21/20, POP3 110, IMAP 143, IMAPS 993, NTP 123, SNMP 161, LDAP 389, LDAPS 636.
• 1024 to 49151 — registered (user) ports. Reserved by IANA for specific applications upon request. Database engines famously live here: MySQL 3306, PostgreSQL 5432, Redis 6379, MongoDB 27017, Memcached 11211, RabbitMQ 5672, Elasticsearch 9200. Application servers too: Node debug 9229, Tomcat 8080, Jenkins 8080, Grafana 3000.
• 49152 to 65535 — dynamic, private or ephemeral ports. Allocated transiently by the kernel for outgoing client connections, never registered. They are the "return address" your laptop uses when it opens a TCP connection to :443 on a remote host.

The default ephemeral range differs by OS: Linux uses 32768 to 60999 (tunable via /proc/sys/net/ipv4/ip_local_port_range); Windows Vista+, macOS and most BSDs follow the IANA recommendation of 49152 to 65535. RFC 6056 mandates port randomization within the chosen range to prevent off-path attackers from guessing client-side port numbers.

Validating a port string: regex plus range

A pure regex such as ^([0-9]{1,5})$ only enforces that the input is one to five digits. The arithmetic check matters too: 65536 matches the regex but is invalid; 00080 matches but is non-canonical. Production validators normalize by parsing to an integer and verifying 0 ≤ n ≤ 65535. Many tools also reject port 0 by default: it is technically reserved, but on Linux binding to 0 instructs the kernel to assign a free ephemeral port — useful for ad-hoc servers and unit tests, but never appropriate as a hard-coded value in config.

function isValidPort(s) {
  if (!/^\d{1,5}$/.test(s)) return false
  const n = Number(s)
  return n >= 0 && n <= 65535
}

Operational uses: firewalls, containers, microservices

Port validation is the unsung hero of every modern infra config. Firewalls (iptables, nftables, AWS Security Groups, Azure NSG) declare allowed traffic per port; Docker exposes services with -p 8080:80; Kubernetes Service objects list containerPort and targetPort; nginx upstream blocks route by server backend:5432;. SSH port forwarding (ssh -L 8080:localhost:80 user@host) and reverse tunnels rely on valid ports on both ends.

A frequent cause of production outages is a port collision: two services trying to bind to the same TCP socket. The kernel returns EADDRINUSE and the second process exits. Diagnose with lsof -i :PORT (macOS / Linux), netstat -an | grep PORT (cross-platform) or ss -tlnp (modern Linux). On macOS the AirPlay receiver famously squats on port 5000, which historically broke Flask defaults.

Security: scanning, exposure and the principle of least exposure

Port scanning with tools like nmap, masscan or zmap enumerates which TCP/UDP ports a host accepts connections on. Performed against your own assets, it is an essential audit step; performed against third parties without consent, it may be illegal in many jurisdictions, including under the Brazilian Marco Civil da Internet (Law 12 965/2014). Many of the largest data leaks of the past decade — unauthenticated Redis on 6379, MongoDB on 27017, Elasticsearch on 9200, Memcached on 11211 — boil down to a service that was bound to 0.0.0.0 instead of 127.0.0.1 and left without auth.

Best practices: bind internal services to loopback or to a private network interface; place firewalls in front of any port reachable from the public internet; rotate SSH from 22 to a less-scanned port only as a complement to key-based auth, never as a substitute; in containers, only publish ports that are strictly required.

FAQ

Is port 0 a valid port? Numerically yes (0 fits in 16 bits), and on Linux it has the special meaning of "assign me any free port". As a configured service port it should be rejected.

Why do ports under 1024 need root? They are historical privileged ports; the rule prevents unprivileged users from impersonating well-known services like SMTP. Modern Linux offers setcap 'cap_net_bind_service=+ep' to grant the right without full root.

What is the maximum port number? 65535 (2^16 − 1). Any larger value is invalid for both TCP and UDP.

Can TCP and UDP share the same port number? Yes — they are independent namespaces. DNS uses 53 on both; HTTP/3 (QUIC) uses 443 UDP without conflicting with HTTPS on 443 TCP.

How do I find which process holds a port? lsof -i :PORT on macOS/Linux, ss -tlnp on modern Linux, or netstat -ano + Task Manager on Windows.