Port 604 carries the TUNNEL profile for BEEP (Blocks Extensible Exchange Protocol). It's an officially assigned well-known port that enables application-layer tunneling through firewalls.
What Runs on Port 604
The TUNNEL profile allows a BEEP peer to act as an application-layer proxy. When you need to reach a service behind a firewall, port 604 provides the authorized pathway through.
This isn't a VPN. It's not SSH tunneling. It's a BEEP-specific mechanism that creates secure application-layer tunnels between cooperating peers.
How TUNNEL Works
The protocol uses source routing with "tunnel" elements. Each packet contains a route specified as nested elements—the outermost element gets stripped off at each hop to determine the next destination. When a peer receives a tunnel element with no inner elements, it knows it's the final destination.
The security benefit: attackers sniffing packets on one side of the firewall cannot see IP addresses or FQDNs of machines on the other side. The tunnel obscures the network topology from anyone watching the wire.
The History
BEEP (Blocks Extensible Exchange Protocol) emerged from BXXP, a protocol designed in 1998 by Marshall T. Rose—the same engineer behind POP3, SMTP, and SNMP. Rose handed the work to the IETF in summer 2000.
In 2001, the IETF published RFC 3080 and RFC 3081, defining BEEP with enhancements to the original BXXP design.1 BEEP provides building blocks for network application protocols: framing, pipelining, multiplexing, authentication, and asynchronous full-duplex communication.
The TUNNEL profile came later, published in October 2003 as RFC 3620.2 IANA allocated port 604 specifically for this profile.
Why It Matters
Firewalls create boundaries. Sometimes you need authorized users to cross those boundaries to reach services. Port 604 provides a standardized way to do that without punching permanent holes in the firewall or exposing your internal network structure.
The TUNNEL profile prevents exhaustive connection attempts via source routing and ensures that intermediate hops cannot see the full path. Each peer only knows the next hop, not the complete route.
Security Considerations
Port 604 requires proper authentication and authorization. The TUNNEL profile doesn't make your firewall weaker—it provides a controlled, authenticated pathway through it.
However, like any tunneling mechanism, it requires careful configuration. Allowing unauthorized users to create tunnels defeats the purpose of having a firewall in the first place.
Well-Known Port Range
Port 604 falls within the system ports range (0-1023), which means it's assigned by IANA through the "IETF Review" or "IESG Approval" procedures described in RFC 8126.3 These ports are reserved for services that have standardized protocols and widespread use.
Check What's Listening
On Linux or macOS:
On Windows:
If you see something listening on port 604 and you're not running BEEP services, investigate. This port should only be used by BEEP implementations supporting the TUNNEL profile.
Related Ports
BEEP itself doesn't have a single assigned port—different BEEP profiles use different ports. Port 604 is specific to the TUNNEL profile. Other BEEP profiles use their own assigned ports depending on the application.
Current Usage
BEEP and its TUNNEL profile are not widely deployed in 2026. The protocol never achieved widespread adoption despite its technical merits. You're unlikely to encounter port 604 in use unless you're working with legacy systems or specialized environments that specifically chose BEEP.
Most modern tunneling solutions use SSH (port 22), VPNs (various ports), or application-specific tunneling mechanisms instead.
Frequently Asked Questions About Port 604
¿Fue útil esta página?