You’re trying to connect to a service and it’s not working. Maybe you’re setting up a server, debugging an application, or just trying to figure out why something won’t load. One of the first questions to answer: is the port actually open?

Checking port status on macOS isn’t complicated, but there are several ways to do it depending on what you’re trying to accomplish.

What ports are and why they matter

Every network service runs on a port. When you visit a website, your browser connects to port 80 (HTTP) or 443 (HTTPS). SSH uses port 22. MySQL uses 3306. Email uses various ports depending on the protocol.

A port being “open” means something is listening on it, ready to accept connections. A “closed” port has nothing listening. A “filtered” port might have something listening, but a firewall is blocking access.

When a connection fails, knowing the port status narrows down the problem. If the port is closed, the service isn’t running. If it’s filtered, there’s a firewall issue. If it’s open but the connection still fails, the problem is elsewhere.

Checking ports on your own Mac

To see what ports your Mac is listening on, use netstat:

netstat -an | grep LISTEN

This shows all listening ports. The output includes local addresses like *.80 (listening on port 80 on all interfaces) or 127.0.0.1.3000 (listening on port 3000 but only for localhost connections).

For a cleaner view of which processes own which ports:

sudo lsof -iTCP -sTCP:LISTEN -n -P

This requires sudo because some processes run as root. The output shows the process name, PID, and which port it’s listening on. If you want to know what’s using port 3000 specifically:

sudo lsof -iTCP:3000 -sTCP:LISTEN -n -P

Checking ports on remote servers

To check whether a port is open on another machine, you need to actually try connecting to it. The simplest tool is nc (netcat):

nc -zv hostname 80

The -z flag tells nc to just scan without sending data. The -v flag makes it verbose so you see the result. If the port is open, you’ll see “Connection to hostname port 80 succeeded!” If it’s closed or filtered, you’ll see a failure message or timeout.

You can scan a range of ports:

nc -zv hostname 20-25

This checks ports 20 through 25. The output shows which ones responded.

For a quicker check of a single port, you can also use the built-in /dev/tcp trick in bash:

(echo >/dev/tcp/hostname/80) &>/dev/null && echo "Open" || echo "Closed"

This is less readable but faster for scripting.

Using telnet

Telnet is another option, though it’s more interactive:

telnet hostname 80

If the port is open, you’ll see “Connected to hostname.” Press Ctrl+] then type “quit” to exit. If the port is closed, you’ll see “Connection refused.” If it’s filtered, the command will hang until it times out.

Telnet isn’t installed by default on newer macOS versions. You can install it through Homebrew:

brew install telnet

Most people prefer nc because it’s built in and more flexible.

Using nmap

For serious port scanning, nmap is the standard tool. It’s not installed by default, but you can get it through Homebrew:

brew install nmap

Basic usage:

nmap hostname

This scans the most common 1000 ports and reports their status. For a specific port:

nmap -p 80 hostname

For a range:

nmap -p 1-1000 hostname

Nmap provides more detailed information than nc, including service detection and version identification. It’s overkill for checking a single port but valuable for comprehensive scanning.

Be aware that port scanning can look like an attack. Don’t scan systems you don’t own or have permission to test. ISPs and hosting providers may flag or block you for scanning their networks.

Common ports to check

When troubleshooting, these are the ports you’ll check most often:

Port 22 is SSH. If you can’t SSH into a server, check this first.

Port 80 is HTTP and port 443 is HTTPS. Web server issues often start here.

Port 3000, 3001, 8000, 8080 are common development server ports. If your local dev environment won’t load, one of these is probably relevant.

Port 3306 is MySQL, port 5432 is PostgreSQL, port 27017 is MongoDB. Database connection issues often come down to these ports being closed or not exposed.

Port 25 is SMTP for email sending. If your application can’t send email, this might be blocked.

Firewalls and filtering

macOS has a built-in firewall, but it’s often disabled by default. Check System Settings > Network > Firewall (or System Settings > Privacy & Security > Firewall on some macOS versions) to see if it’s on.

When the firewall is enabled, it blocks incoming connections to ports that don’t have explicit rules. Your Mac can still make outgoing connections, but other machines can’t connect to services you’re running unless you allow them.

If you’re running a local server for development and can’t connect from another device on your network, the firewall is the likely culprit. Either disable it temporarily or add a rule to allow the specific port.

Remote servers have their own firewalls. Cloud providers like AWS, Google Cloud, and Azure use security groups or firewall rules that must explicitly allow traffic on each port. A service can be running and listening, but if the firewall blocks the port, external connections will fail.

Interpreting results

Connection succeeded / Port open: Something is listening. If you still can’t use the service, the problem is with authentication, the protocol, or the service itself.

Connection refused: Nothing is listening on that port. Either the service isn’t running or it’s configured to listen on a different port.

Connection timed out / No response: A firewall is probably blocking the port. The packets are being dropped rather than rejected.

Host unreachable: The machine itself isn’t reachable. This is a routing problem, not a port problem.

GUI alternatives

The Network Utility app that Apple removed in Big Sur had a port scan feature. You’d enter a hostname and port range, click Scan, and see results in a list. Simple and effective, but no longer available.

NetUtil includes a port scanner that works similarly. Enter a host, specify ports to scan, and view results in a table. It handles the common cases without requiring command line knowledge.

For developers who check ports regularly, a GUI tool saves time. You don’t have to remember syntax or parse text output. For one-off checks, nc in Terminal works fine.

Practical examples

Your web server isn’t responding: Check ports 80 and 443 on the server. If they’re closed, the web server process isn’t running or isn’t bound to those ports. If they’re open, check the server logs.

You can’t connect to your database: Check the database port (3306 for MySQL, 5432 for Postgres, etc.). Also check if the database is configured to accept remote connections. Many databases default to localhost only.

Your local development server won’t load on your phone: Check if the port is open on your Mac and if the firewall allows connections. Also make sure you’re using your Mac’s local IP address, not localhost.

SSH keeps timing out: Check port 22. If it times out rather than refusing connection, there’s likely a firewall in the way. Could be your ISP, the server’s hosting provider, or a security group setting.

Port checking is basic network debugging. Once you know whether the port is open, closed, or filtered, you know where to focus your troubleshooting.