Updated 1 day ago
When something won't connect, the first question is always: is the port actually open?
But "open" means different things depending on where you're asking from. A port can be open on your machine but blocked by your firewall. Open through your firewall but blocked by your ISP. Open to some parts of the Internet but not others.
Checking a port isn't one question. It's three.
The Three States
Every port exists in one of three states:
Open: A service is listening, ready to accept connections. This is what you want when you're testing a server you expect to reach.
Closed: Your connection attempt arrived, but nothing's listening. You'll see "connection refused"—a polite rejection. The network path works; the service doesn't.
Filtered: A firewall is silently dropping your packets. You knock and hear nothing—not even a rejection. This is the frustrating one, because silence could mean the host doesn't exist, the port is blocked, or your packets are being swallowed somewhere in between.
The difference matters. Closed means fix the service. Filtered means fix the network path.
Checking Your Own Machine
Windows
Open PowerShell:
This shows every TCP port your machine is listening on, along with the owning process.
The older approach still works:
The -o flag adds the Process ID, which you can look up in Task Manager.
macOS and Linux
The ss command is the modern standard:
That's TCP (-t), UDP (-u), listening (-l), numeric addresses (-n).
To see which process owns each port:
The lsof command—"list open files"—treats network connections as files, because in Unix, everything is.
Checking Remote Ports
Testing a port across the network means sending a connection attempt and watching what comes back.
Telnet
If the port is open, you'll see a connection message or a blank screen (you're connected, waiting for input). Closed gives you "Connection refused." Timeout means filtered or unreachable.
Telnet only speaks TCP.
Netcat
Netcat (nc) handles both protocols:
The -z flag scans without sending data. The -v flag makes it verbose. For UDP:
You can scan ranges:
Nmap
Nmap does what the other tools do, but tells you more—not just whether ports are open, but often what's running behind them:
UDP scanning requires root:
Here's the honest truth about UDP: it's fundamentally uncertain. TCP has a handshake—you know definitively whether a connection succeeded. UDP just sends packets into the void. If nothing comes back, is the port open and silent, or filtered and dropping everything? Nmap often returns open|filtered because it genuinely cannot tell. That ambiguity isn't a limitation of the tool. It's a property of the protocol.
PowerShell
This gives you ping results, TCP test results, and timing information without installing anything. Check the TcpTestSucceeded value in the output.
Testing from Outside Your Network
Here's the trap: testing your own server from inside your network might bypass your firewall entirely. Your packets never leave the building, so you never learn whether the outside world can reach you.
You need an external perspective.
Online port checkers connect to your public IP from servers on the Internet. They reveal whether your router's port forwarding works, whether your ISP blocks certain ports, and whether your firewall rules do what you think.
A remote server you control gives you more flexibility. SSH into a VPS and run nmap or netcat against your home IP. Same information, but you control the tools.
When Things Go Wrong
Port closed locally: The service isn't running. Start it.
Port open locally, closed remotely: A firewall is blocking traffic. Check the host firewall, security groups, and any network firewalls in the path.
Connection times out: Either the host is unreachable, or a firewall is silently dropping packets. Verify the IP. Try pinging the host.
Different results from different locations: Something is filtering by source—geographic restrictions, CDN routing, or network-specific rules.
Everything configured correctly but still blocked: Some residential ISPs block common ports like 25 (SMTP), 80 (HTTP), or 445 (SMB). If your configuration is right but external connections fail, your ISP might be the problem.
The Three Questions
Local tells you what's listening. Remote tells you what you can reach. External tells you what the world can reach. Three different questions. Three different answers.
Open means someone's answering. Closed means nobody's home. Filtered means you can't even knock.
And only scan systems you own or have permission to test. Port scanning someone else's infrastructure without authorization is a quick way to receive uncomfortable legal correspondence.
Frequently Asked Questions About Port Checking
Was this page helpful?