Quick select:
Port Checker
Enter a hostname or IP address and a port number to check whether the port is reachable from the internet. The check is performed from an external server — it tests real public accessibility, not just your local connection.
What this tool does
The Port Checker sends a real TCP connection attempt to the host and port you specify, from an external server on the internet. This tells you whether the port is publicly accessible — which is what matters when you are debugging firewall rules, checking if a service is exposed, or verifying a Cloudflare or reverse proxy configuration.
Results: Open means a service is listening and the connection succeeded. Closed means the host is reachable but nothing is listening (connection refused). Filtered means the connection timed out — typically a firewall is dropping packets silently.
Common use cases
- SSH locked out? Check port 22 to confirm the firewall rule actually took effect.
- Web server not responding? Test ports 80 and 443 to distinguish "server down" from "firewall blocking".
- Database exposed? Test ports 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis) — these should always return Closed or Filtered, never Open from the internet.
- Cloudflare proxy active? Port 443 should be Open; port 22 should be Filtered (Cloudflare absorbs it).
- VPS just provisioned? Check which ports are open before you start hardening.
What "filtered" actually means
A filtered port means the TCP SYN packet was never answered — no RST, no SYN-ACK. This is what a firewall that drops
packets (rather than rejecting them) looks like. iptables -j DROP and most cloud security group deny rules
produce filtered results. A -j REJECT rule produces a closed result instead. Both keep the port inaccessible,
but filtered is generally considered better security posture because it does not reveal host presence.
Frequently Asked Questions
Why is my port showing as filtered even though I opened it in the firewall?
Check the order of your firewall rules. On Linux with iptables, rules are evaluated top to bottom and the first match wins. A blanket DROP rule earlier in the chain overrides an ACCEPT rule that comes after it. Also verify you opened the right interface and that the service is bound to a public interface, not just 127.0.0.1.
The port shows open but I can't connect from my machine — why?
The check runs from the internet, not from your location. Your ISP or local network may be blocking the port on outbound traffic. Corporate networks commonly block outbound SSH (port 22) and non-standard ports. Try connecting from a mobile data connection to rule out local network filtering.
Can I check ports on a private network or behind a VPN?
No — this tool checks public internet accessibility only. Private IP ranges (10.x, 172.16–31.x, 192.168.x) are not routable from the internet and will always time out.
Why should Redis (6379), MongoDB (27017), and Elasticsearch (9200) never be open?
These services were designed to run on trusted internal networks. Redis had no authentication by default until version 6. Leaving them open has caused thousands of real data breaches. If this tool shows any of these ports as Open on a production server, treat it as an active incident.
Learn more: The Ports Every Sysadmin Should Know → · How to Check If a Port Is Open (Without a Terminal) →