this post was submitted on 09 Apr 2024
141 points (100.0% liked)

Asklemmy

1454 readers
72 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

It's the one thing when I'm configuring things that makes me wince because I know it will give me the business, and I know it shouldn't, but it does, every time. I have no real idea what I'm doing, what it is, how it works, so of course I'm blindly following instructions like a monkey at a typewriter.

Please guide me into enlightenment.

top 29 comments
sorted by: hot top controversial new old
[–] 520@kbin.social 71 points 7 months ago* (last edited 7 months ago) (6 children)

Imagine your computer is a big block of flats and your applications are all people who live in the building.

Mail sent to the building address alone isn't going to reach the intended recipient, because the postman doesn't know what flat to post it to. So they need additional information such as 'Flat 2C'

That's the basic concept of ports. It's basically additional addressing information to allow your computer to direct internet traffic to the correct applications.

When an application is actively listening on a port, it means that they are keeping an eye out for messages addressed to them, as designated by the port number. While an application is sending or receiving messages using a given port number, that port number is considered 'open'.

Now, all sorts of applications do all sorts of things. Some are for the public to use and there are some that are useful within trusted circles, but can be abused by malicious people if anyone in the world can send messages to it. Thus, we have a firewall, which acts as a gatekeeper. A firewall can 'block' a port, denying access to a given group of people, or 'unblock' it, allowing access.

VPNs are a totally different thing. They are literally middlemen for your internet traffic. Instead of directly posting a message to somewhere and receiving a direct reply back, imagine you flew out to Italy to use a post box there and receive replies from there.

[–] promitheas@iusearchlinux.fyi 27 points 7 months ago (1 children)

To add to your analogy if i may, the firewall is kind of like a security guard or doorman at the building entrance. All mail has to go through him first and if something is addressed to a closed flat (port) he simply doesnt let it get delivered.

[–] 520@kbin.social 17 points 7 months ago* (last edited 7 months ago)

Yep! The security guard is also given a bunch of rules to follow such as "don't let anyone outside of our neighbourhood (aka your local network) contact door 22", which will also determine whether messages get delivered or not

[–] dan@upvote.au 12 points 7 months ago* (last edited 7 months ago) (1 children)

I love your analogy for ports, but I'm not sure about the VPN one.

If you imagine network traffic as mail going through the postal system, then a VPN is like a private mail tunnel between two locations, that nobody else can enter or look into. Mail sent via the tunnel is private and nobody else can read it. The person at the other end of the tunnel can either open the mail themselves (ie a VPN from your laptop to your home server to access it when you're away), or forward the mail somewhere else (ie if you're routing Internet-bound traffic through it) and nobody will know it came from you originally.

[–] my_hat_stinks@programming.dev 7 points 7 months ago (2 children)

I'm not sure that's a completely accurate analogy either. When you're using a VPN people can still see that you are sending traffic through your tunnel, they just can't tell what it is that you're sending. It's like looking through frosted glass; there's definitely something moving in there but you can't tell what.

I suppose the best way to describe it is you send a locked box to a trusted friend; everyone handling it can see the box but can't tell what's inside. Inside the box is a letter, your friend posts it so it looks like it came from them. Your friend then gets a reply, puts it in a locked box, and send it back to you. Nobody between you and your friend can snoop on your mail but anyone between your friend and the final destination can.

[–] _dev_null@lemmy.zxcvn.xyz 3 points 7 months ago

locked box

As soon as I read this I read the rest of your comment in Al Gore's voice, ca 2k SNL, lol.

[–] dan@upvote.au 2 points 7 months ago

Great point. Analogies are hard :)

[–] umbrella@lemmy.ml 3 points 7 months ago

i have nothing to add, i just like you analogy

Excellent description.

load more comments (2 replies)
[–] intensely_human@lemm.ee 26 points 7 months ago (1 children)

A “port” is just a number that gets assigned to network messages to differentiate targets within the same IP address.

One program is “listening on port 1”, which means it has told the operating system “anything labeled port 1, send it to me”.

It’s sort of like saying “attention: Joe” versus “attention: Sue” on an address. Same address, same building, but that “attention” line means to put it on Joe’s desk inside the building.

Except instead of “attention: Joe”, it’s just “attention: 22”. A numerical code that represents a “mailbox” inside the computer.

[–] bastion@feddit.nl 3 points 7 months ago

That is The Good Answer.

Another, very similar way of thinking about it is that It's effectively like an apartment or office number. A post office typically ignores it, but if told to, they would forward a specific apartment number at a specific address to a new address and apartment number.

[–] teawrecks@sopuli.xyz 18 points 7 months ago (1 children)

If IP addresses are for finding the specific computer on a network you're wanting to talk to, Ports are for finding the specific application you want to talk to on that computer. So kinda like a phone extension. When an application "opens" a port, they're just telling the OS "hey, if any packets come in on this port, send the data my way, I'll know what to do with it".

A firewall is a special program the OS uses to control access to its ports. It says what programs are allowed to access what ports, effectively controlling the ability for all apps to access the network.

The only other thing to know is that the first 1024 port values are usually heavily controlled by the OS because there are specific protocols that are traditionally used on those specific ports, so you usually don't want just any application claiming one of those ports willy-nilly.

Oh, and you may have had to deal with "port forwarding" on your router. This is because, if some computer outside your network sends a packet to your router targeting a specific port number, the router doesn't know which computer it should go to. So by default, it just ignores it (which is usually the safest thing to do). Port forwarding tells your router, "if any packets come in on this port, send them to the computer at this IP, they'll know what to do with it."

[–] emptiestplace@lemmy.ml 4 points 7 months ago* (last edited 7 months ago) (1 children)

This is really good, I just want to clarify one thing:

there are specific protocols that are traditionally used on those specific ports

Protocols are not 'used on ports', it's actually the other way around: TCP and UDP are both protocols operating on top of IP, each with its own set of ports to help direct traffic, exactly as you explained.

There are other protocols, like ICMP or GRE, that exist quite happily without knowing anything about ports (ICMP has types and codes, GRE doesn't).

Edit: I suppose it is actually a bit ambiguous because we also refer to applications (HTTPS, telnet) as protocols. I'm not sure if there is a standard way to differentiate when discussing other than just saying transport layer protocol / application layer protocol.

[–] teawrecks@sopuli.xyz 2 points 7 months ago

Yeah, didn't want to dig deep in the interest of brevity, but I didn't want to say that specific applications use those ports, even though I already said that ports in general are for applications. You can use whatever ftp, ssh, or http server you want as long as they "speak" the expected protocol.

[–] lolcatnip@reddthat.com 9 points 7 months ago* (last edited 7 months ago)

Without invoking any analogies, a port is just a number. When an application on your computer sends or receives data, there is a port number associated with it. A server-side application listens for data with a particular port number, and a client side application needs to send data with the same port number to communicate with the right server application. The operating system uses the port number to route incoming data to the right application, and it ensures that only one application at a time can use any given port number.

Some port numbers are assigned to specific protocols (by IANA, I believe), like 80 for HTTP and 443 for HTTPS, so when you see a URL, the default port is usually implied by the protocol, but it can always be specified. For instance, https://google.com is equivalent to https://google.com:443. For more obscure protocols without assigned port numbers, you'll usually see the port number in a URL, and this tends to happen in the same scenarios where you don't have a domain name, so you'll also see an IP address in a URL. It also happens when you need to run more than one of the same kind of server on a single machine. For example, when developing an HTTP server app, it's customary to use port 8080 or 8888 to distinguish it from the "official" server app on the same machine using port 80, so your development server app will have a URL that looks like http://192.168.0.1:8080.

Typically ports 0-1023 are reserved by the operating system for programs set up by an administrator, and ports starting at 1024 up to a maximum of 65535 are available to any user, so they're perfect for, say, a Jellyfin server or an app you're developing. If someone gives you a URL with a port number, especially if it's above 1023, make sure you trust the owner of the URL, because it can be a giveaway that someone is doing something shady.

[–] WolfLink@lemmy.ml 8 points 7 months ago

The short answer is, when your computer sends a message over the network, the IP address specifies which computer should receive the message, and the port specifies which program should receive the message.

[–] HottieAutie@lemmy.dbzer0.com 6 points 7 months ago

Think of the Internet as being able to send opened letters with a destination address and return address. Anyone that handles the letter to help deliver it can see what it says, who's sending it, and where it's going.

A VPN is like asking a company to help you transmit the letter with more privacy. The VPN creates a secret code between you and the VPN, so that only you two understand what is in the letter. Then, the VPN communicates with whomever while not sharing your identity so that no one knows who you are unless you specifically tell them in the letter.

Say you want to know what the symptoms you're experiencing after a sexual encounter are, but you're embarrassed and don't want anyone to suspect anything in case it's nothing. You tell your VPN you want to send a letter to the medical info center. The VPN tells you to use a code that was created automatically so that no one knows what it means besides you and their code machine, and was sent to you earlier when you signed up for their service or at a regular update. "Use code 5 we sent you last week." You write the letter and address in code 5, then address it in normal language to the VPN, sending it via the mail system. The VPN machine translates the code to normal language but changes the return address to its own address. The medical info center receives a letter saying that the VPN wants to know the info you requested, so they respond. The VPN receives the info, translates it back to code 5, and sends the info to you.

As far as everyone in the mail system is concerned, you sent and received info from the VPN, but only you know what it was because the mail system couldn't understand it, and the VPN handled it through an automated machine. The medical mail system and medical info center then knows what the letter said, but thinks the VPN requested that info, so they don't know it was you. Since the VPN handles tons of mail, no one knows who is requesting what specific info through the VPN.

Note: This assumes the VPN doesn't keep logs. Some VPNs might actually track what you send, so they could keep track of your messages. That's why people that value privacy recommend to use VPNs that don't keep logs.

[–] WolfLink@lemmy.ml 5 points 7 months ago

The port is used by the destination computer to decide what program should process the request.

Any program on your computer that needs to be open to being contacted by another computer over the network needs to be assigned to a port. When the remote computer wants to contact that program, the IP address is used by intermediate networking computers to forward the message, and the port is used by your computer to pass the message to the right program. Blocking a port will prevent the program assigned to it from being contacted by other computers.

Some ports are traditionally assigned to some common programs. When you go to a website via http in a browser, it uses port 80 if you don’t specify. If you use https, it uses port 443. SSH uses port 22 by default. You can host an ssh server or http website on a different port, those are just the common conventions. If an http website is hosted on a port other than 80, the user will need to specify the port number in the browser as part of the url.

VPNs are usually not so much about ports, more about IP addresses. When your computer wants to contact another computer, it normally sends the request to the router, and that router forwards that request either to another computer on LAN or to the ISP, and that ISP forwards the request and so on… based on the IP address. If you are using a VPN, that VPN will override certain IP addresses. When a message would be sent to one of those IP addresses, instead it gets packaged and sent to the IP address specified in the VPN config, and the computer on the other side of the VPN decides where to send the message from there. The router sends the packages message to the VPN computer, but doesn’t get to know what the IP of the packaged message is (by packaged I mean encrypted, and with some metadata).

Where VPNs and Ports end up being relevant is probably in relation to port forwarding. Normally your computer can make requests to the internet, but can’t be contacted by the internet. This is because your entire LAN shares a public (WAN) IP address, and the router is the device that receives all messages to that IP address. Normally the router discards such incoming messages, but if you set up port forwarding, the router will forward messages for a certain port to a certain computer on the LAN.

A VPN can allow your computer to receive incoming requests without opening a port on the router. When a request meeting requirements specified in the VPN config is received by the computer on one side of the VPN, it will be forwarded to the computer on the other side of the VPN. For a public VPN (the kind you would pay for that are typically advertised as a privacy tool or a way to get around Netflix geofencing), you can sometimes configure port forwarding, meaning any request sent to that port on the VPN’s server will get forwarded to your computer connecting to the VPN (typically to the same port, so what happens to that request is up to you to configure a program to be assigned to that port).

The other way a VPN can be used for that kind of contact is when it maps all requests to any port on a set of IP addresses. This is typically how office VPNs are configured, as it lets a remote user access things on the office network as if that user was in the office.

Note that a VPN is itself a pair of programs communicating with each other like any other program, so typically setting up a VPN requires one of the computers to be exposed to the internet (or at least have ports set up for that). For a public paid VPN the VPN’s servers will be exposed to the internet, and for a corporate VPN the corporate servers will be closed, such that the client doesn’t have to.

Some common VPN software (e.g. WireGuard) is free and open source and can be configured in a lot of different ways! These two common use cases are just the most common ways to configure VPNs, but if you have some creative use case, there’s a lot you could do with it.

[–] flashgnash@lemm.ee 5 points 7 months ago

A port is basically what it sounds like, a hole in your network to allow traffic to get to your pc

When you forward a port you send all traffic trying to get into that port to the computer you configure it to forward to. I believe forwarding and opening are synonymous, I'm sure someone will correct me if I'm wrong

There are two protocols for transmitting data you can open/close individually, TCP and UDP. Depends on the application, some want one, some want the other, some can use either or some want both

Opening ports allows anyone with your IP address to get at your computer, which means they have a chance to exploit any vulnerabilities there might be in your os, networking stack, software etc, so generally it's a good idea not to leave them open unless absolutely necessary

Personally I use tailscale to get around having to open ports, makes it as if they're all on the same network

[–] Unmapped@lemmy.ml 3 points 7 months ago* (last edited 7 months ago) (1 children)
[–] Daxter101@lemmy.blahaj.zone 4 points 7 months ago

I mean, you're not wrong. Just a bit of an asshole.

[–] Vent@lemm.ee 3 points 7 months ago

All these answers read like they're written for comp sci students rather than a general audience. Let me give an ELI5 (more like ELI12) a shot.

Ports are just numbers. They aren't physical pathways or doors or windows or anything like that. A better analogy is a street address, like an apartment number. Your IP address identifies your computer (apartment building), and the port identifies the program on the computer (the apartment). When a program needs to talk to the internet, which is very similar to sending a letter, it hands a packet/letter to your computer and your computer assigns the program a port number. It then puts that number on the return address of the letter so that the recipient knows where to send the response. The computer remembers that port number is associated with that program, so when it gets an incoming letter with that number, it gives it to the program. After the program is done talking to the internet, the computer frees the port up to be used by another program.

Ports are "closed" when there is no program associated with them. Any incoming letters are ignored because they have nowhere to go.

Ports are "open" when they're associated with a program. This happens automatically when programs send outgoing letters, or you can manually open (or "forward") ports by telling your computer/router what the port should be associated with and that it shouldn't use the port for something else.

ELI5 over.

The internet is networks on top of networks on top of networks, so your computer will have an IP and assign a port number, then your router will remember that and change the address on the letter to its own IP with a different port number, then that process repeats a few more times until eventually it reaches its destination. You don't have to deal much with your computer's internal network, but occasionally you have to deal with your router's by opening/forwarding a port because it has a NAT that has to deal with all of the devices on your network. Forwarding the port just tells your router to always send incoming letters with that port number to a specific device.

[–] JoeBidet@lemmy.ml 3 points 7 months ago (1 children)

"porte" in French means a door.

Imagine each port is a door, all neatly aligned... some of them can be opened and lead to something... (a service)

[–] Deez@lemm.ee 3 points 7 months ago (1 children)

And when you go through the door, you must know the language to speak (the protocol) or you may be told to leave or ignored.

[–] JoeBidet@lemmy.ml 1 points 7 months ago

yeah you need to know the password or secret handshake (like a protocol handshake) to be let in! :)