How do I check if a port is open on my public IP?

Use a server-side port checker like the What Is My Open Ports tool. It attempts a TCP connection from an external server to your public IP on the requested port and reports whether it is open, closed, or filtered. You cannot do this reliably from a browser directly.

What does 'filtered' mean for a port?

Filtered means a firewall or router is silently dropping connection attempts — no response arrives. Most home router ports appear filtered by default because NAT blocks all unsolicited inbound connections.

Is it safe to have port 22 (SSH) open?

SSH with key-based authentication and current patches is relatively safe, but any publicly exposed SSH port will attract constant brute-force attempts. Use fail2ban or rate limiting, disable password authentication, and consider changing from the default port 22.

Why does a port show open even when I haven't forwarded it?

Your ISP, cloud provider, or router may be running a service on that port. Some ISPs use public-facing management interfaces. Check what process is listening with 'netstat -tlnp' (Linux) or 'netstat -ano' (Windows).

Can I use this tool to check ports on someone else's IP?

No. The tool only checks the IP address of the browser making the request. It cannot be directed to scan other hosts.

May 2, 2026 · 7 min read

What Is My Open Ports? How to Check TCP Ports on Your Public IP

Learn what open, closed, and filtered ports mean, which ports are security risks, and how to check your public IP's open ports without any software.

Your public IP address is visible to every device on the internet — and so are any services listening on its ports. Knowing which ports are open is the first step in understanding your network's attack surface.

A port checker connects to your IP from an external server and reports whether each port is open (a service accepted the connection), closed (the OS refused it), or filtered (a firewall dropped the packet silently). The What Is My Open Ports tool does this automatically for a set of common ports and for any custom port you enter.

What is a network port?

An IP address gets packets to the right machine. A port number — a 16-bit integer from 1 to 65535 — tells the operating system which program should handle those packets.

When a program calls bind() and listen() on a port, it is listening: ready to accept incoming connections. When nothing is listening, the OS responds to incoming TCP SYN packets with an RST (reset), signalling "closed." When a firewall drops the packet without any reply, the sender waits until timeout — this is a filtered port.

Open, closed, and filtered — the TCP handshake view

The standard TCP handshake sends three packets:

SYN — client asks to connect
SYN-ACK — server agrees (port is open)
ACK — client confirms

If instead of SYN-ACK the server sends RST-ACK, the port is closed. If the SYN packet disappears entirely, the port is filtered.

Status	What happened	What it means
Open	SYN-ACK received	A service is listening and reachable
Closed	RST-ACK received	No service listening; host is up
Filtered	No reply (timeout)	Firewall / NAT is blocking the packet

Most home IP addresses show nearly all ports as filtered because consumer routers apply NAT by default and block all unsolicited inbound connections.

Why port checking requires an external server

Browsers run in a sandboxed security model. JavaScript cannot open arbitrary TCP sockets to external hosts — this would let any website scan your network or probe internal services. The fetch() API is restricted to HTTP/HTTPS; direct TCP is not available to web pages.

A server-side port checker bypasses this by making the TCP connection from infrastructure you trust, then returning the result. The check is equivalent to running nc -zv <your-ip> <port> from a remote machine:

# Equivalent shell command
nc -zv 203.0.113.42 22
# Connection to 203.0.113.42 22 port [tcp/ssh] succeeded!

The result tells you exactly what an attacker scanning the internet would see.

Common ports and their risk level

Port	Service	Risk if open publicly
22	SSH	Medium — brute-forced constantly; use key auth
23	Telnet	High — sends data in plaintext
25	SMTP	Medium — relay abuse if misconfigured
80	HTTP	Low — expected for web servers
443	HTTPS	Low — expected for web servers
3306	MySQL	Critical — never expose to public internet
5432	PostgreSQL	Critical — never expose to public internet
6379	Redis	Critical — no auth by default in older versions
8080	HTTP Alt	Medium — often dev tools with no auth
27017	MongoDB	Critical — massive breach history from public exposure

How NAT and port forwarding interact

Most home and office users sit behind NAT (Network Address Translation). Your router gives each device a private IP (192.168.x.x, 10.x.x.x) and presents a single public IP to the internet. Inbound connections that reach the router's public IP have nowhere to go unless you configure port forwarding — a NAT rule that maps an external port to an internal machine and port.

If you run a game server, self-host a website, or use a service that needs inbound connections (VoIP, BitTorrent, remote desktop), you configure port forwarding in the router's admin panel. The port checker confirms whether the forwarding is working — if the port shows open from outside, the forwarding rule is correctly directing traffic to your machine.

Securing ports you didn't mean to open

If the port checker reveals an unexpected open port:

Identify the listener — on Linux: ss -tlnp | grep :<port> or netstat -tlnp. On Windows: netstat -ano | findstr :<port> then look up the PID in Task Manager.
Stop the service if it should not be running, or reconfigure it to bind to 127.0.0.1 only.
Add a firewall rule — ufw deny <port>/tcp on Ubuntu, or a Windows Firewall inbound rule on Windows.
Verify the fix — re-run the port checker; the port should now show filtered from outside.

Check your public IP's ports right now — no software required — on the What Is My Open Ports tool. For context on the IP being scanned, see What Is My IP.