1. Ports
  2. Port 1025

When you open a TCP connection and the kernel needs to assign your process a port number, it doesn't give you port 1, or 80, or any of the well-known numbers that humans reserve for official services. It gives you something higher. On Windows systems for twenty years, it would give you something starting around port 1025.

That's the secret life of port 1025. It's not really a service port at all. It's the threshold. The beginning. The moment when numbered doors transition from "these are for important things" to "these are for you."

What Lives on Port 1025

The IANA service registry lists port 1025 as "blackjack"—a vestigial remnant of a networked card game that flourished in the early 1990s and then disappeared completely.1 You can find references to it in old forum posts asking "What is network blackjack?" The answer that comes back is always uncertainty. Nobody really remembers. The service died, but the IANA registration survived, a ghost registration for a ghost port.

But that's not what actually uses port 1025 anymore.

In practice, port 1025 belongs to the ephemeral range—the dynamic ports that the operating system assigns to processes that don't have privileged access (processes that can't claim ports 0-1023). For the first two decades of modern Windows, the ephemeral port range was 1025 to 5000.2 This meant that every single client connection, every short-lived network operation, every service trying to register itself started around port 1025. It was the first door.

The other principal use of port 1025 is as a dynamic assignment port for RPC services—especially NFS (Network File System). This is where it gets genuinely interesting.

The Beauty and Chaos of RPC Portmapping

NFS didn't want to hardcode port numbers for its subsidiary services. The protocol needed flexibility. It needed to let different servers run different services on different ports and have clients find them anyway.

Here's how it works: When an NFS server starts, it runs multiple RPC services. Mountd (the mount daemon), nlockmgr (the lock manager), statd (the status daemon)—each one asks the kernel "give me an available port." The kernel gives them whatever's next. Could be 1025. Could be 1037. Could be anything in the ephemeral range.3

The server then registers that mapping with portmapper (the RPC port mapping service that runs on port 111): "My mountd is on port 1035. My nlockmgr is on port 1042." The information is stored in a registry that lives in memory.

When a client wants to mount an NFS share, it doesn't know these port numbers. It doesn't care. It contacts portmapper with a question: "Where does mountd live on this server?" Portmapper answers: "Port 1035." The client connects to port 1035. The infrastructure conversation happens beneath the user's awareness.4

This is elegant. This is also a nightmare for firewall administrators—it means you can't just "open port 2049 for NFS" and call it secure. You have to open a range of ephemeral ports because you don't know in advance which ports the RPC services will claim. In the worst case, you open 1024-65535 and hope for the best.

NFSv4 solved this. By moving to stateless operations and TCP as the standard transport, NFSv4 eliminated the need for portmapper entirely. It just uses port 2049. The infrastructure got simpler. But for NFSv2 and NFSv3 systems still in production (and there are millions), port 1025 and its siblings remain part of the conversation.5

Windows, IIS, and the Ephemeral Threshold

On Windows, port 1025 became something different: the beginning of the standard ephemeral port range. For decades, if you opened a Windows system and asked "what's the default port I can use for outbound connections," the answer was 1025-5000.

This is why you see port 1025 associated with IIS in various configurations. It's not that IIS specially uses port 1025. It's that IIS (like any Windows service) would use ports in that range when making connections, when RPC services registered themselves, when auxiliary services needed a dynamic port.6

With Windows Vista and Windows Server 2008, Microsoft changed the ephemeral port range to 49152-65535 (matching the IANA registered range for dynamic ports). Port 1025 stopped being the threshold. But on older systems, it was always there—the first port after the reserved ones, the door that opened by default.

The Genuine Strangeness

What makes port 1025 genuinely fascinating is that it's caught between identities. It's officially a game port (blackjack) that nobody remembers. It's practically an ephemeral port that the kernel gives out to processes that can't have reserved numbers. It's historically the RPC dynamic port that NFS uses when it doesn't know where to put things. It's the beginning of "normal" ports, the threshold where infrastructure becomes mundane.

Most ports carry a specific service, a protocol, a purpose. Port 443 is HTTPS. Port 22 is SSH. Port 25 is SMTP. Port 1025 carries something stranger: it carries the bootstrap moment. It carries the question "where should I go?" And on networks running older NFS, on Windows systems from the 2000s, on processes that are still asking the kernel for an available port, the answer is still often: "try 1025."

Security Considerations

Port 1025 is relatively quiet from a security perspective, which is itself interesting. It's not a well-known entry point. You can't SSH into it. You can't browse to it with a web browser. But because it falls in the ephemeral range, it can be claimed by any process that needs a dynamic port—including malicious ones.

The real vulnerability with port 1025 and its dynamic siblings is the firewall problem: networks that need NFS often have to open the entire ephemeral port range to make RPC work, creating a much larger attack surface than necessary. This is one reason why NFSv4's shift to a fixed port (2049) is such an improvement from a security architecture perspective—it lets you be specific about what you're permitting.4

  • Port 111 (Portmapper/RPC): The registry service that tells you which port 1025's siblings are actually using
  • Port 2049 (NFS): The modern fixed port for NFS version 4, which eliminated the need for dynamic port allocation
  • Port 1024: The last reserved port before the ephemeral range begins (on older Windows systems)
  • Port 49152+: The modern ephemeral port range on newer systems, where 1025 was displaced

Frequently Asked Questions

Was this page helpful?

😔
🤨
😃
Port 1025: The Ghost Port — Where Services Go When They Have No Fixed Address • Connected