---
title: "Destination Port — AP Cybersecurity Definition & Exam Guide"
description: "The destination port tells a packet which service or app it's headed for, and firewalls filter on it. Key to ACL rules and SSH/HTTP traffic on the AP exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/destination-port"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 3"
---

# Destination Port — AP Cybersecurity Definition & Exam Guide

## Definition

In AP Cybersecurity, the destination port is the logical port number a packet is being sent TO, identifying the service or application it's meant for (like port 22 for SSH or 80 for HTTP). Firewalls use it in access control list rules to allow or deny traffic.

## What It Is

A **destination port** is the [port](/ap-cybersecurity/key-terms/port "fv-autolink") number that tells a packet where it's going, meaning which service or application on the receiving device should handle it. Think of an [IP address](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink") as the building and the destination port as the specific apartment number inside it. Port 22 means SSH, port 80 means HTTP, port 443 means HTTPS, and so on.

This matters for firewalls because the destination port shows up in the packet header, and a **[stateless firewall](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa "fv-autolink")** filters traffic based on header info like IP addresses, ports, and protocols (EK 3.4.A.2). When a firewall rule reads `Allow inbound TCP port 22 from ALL;`, that "port 22" is the destination port, the one designated for SSH. The firewall reads it, checks it against the **access control list (ACL)**, and decides to permit or deny.

## Why It Matters

Destination port lives in [Unit 3](/ap-cybersecurity/unit-3 "fv-autolink"): Securing Networks, specifically Topic 3.4 (firewalls). It directly supports [[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 3.4.B] (how a firewall uses an ACL to allow or deny traffic) and [AP Cybersecurity 3.4.D] (configuring a firewall to manage traffic flow). EK 3.4.D.2 spells out that firewall rules allow or deny traffic based on source or destination port, IP address, service, protocol, or application. If you can't pick out the destination port in a rule, you can't read or write an ACL, and ACLs are the core skill the whole firewall topic builds toward.

## Connections

### [Source Port (Unit 3)](/ap-cybersecurity/key-terms/source-port)

These are the two halves of a connection. The [source port](/ap-cybersecurity/key-terms/source-port "fv-autolink") is where traffic comes FROM on the sender, and the destination port is where it's going TO on the receiver. A firewall can filter on either, so knowing which is which keeps you from misreading an ACL rule.

### Access Control List (ACL) (Unit 3)

The destination port is one of the criteria an ACL rule filters by. Rules are checked in order, and the first match wins, so a rule targeting destination port 80 fires the moment a matching packet shows up.

### Port and Open Port (Unit 3)

A destination port is just a port used in the 'where is this headed' role. An [open port](/ap-cybersecurity/key-terms/open-port "fv-autolink") is one accepting connections, which is exactly what you control by allowing or denying traffic to a given destination port.

### [Protocol (Unit 3)](/ap-cybersecurity/key-terms/protocol)

Destination ports map to specific [protocols](/ap-cybersecurity/key-terms/protocol "fv-autolink") by convention: 22 is SSH, 80 is HTTP, 443 is HTTPS. A firewall rule usually names the protocol (TCP or UDP) and the destination port together, since the port tells you which service the protocol is carrying.

## On the AP Exam

Expect multiple-choice questions that hand you a firewall rule and ask you to identify which part is the destination port. For example, in `Allow inbound TCP port 22 from ALL;` you should know that port 22 is the destination port (SSH) and `from ALL` is the source. A related question on `Deny inbound TCP port 443 from 203.45.67.89;` asks which part identifies the SENDING device, which is the source IP, not the destination port. The skill is reading each component of an ACL rule and labeling it correctly: direction, port, protocol, source, action. Practice taking apart and writing these rules.

## destination port vs source port

Source port is where traffic originates; destination port is where it's headed. In a rule like `Allow inbound TCP port 22 from ALL;`, port 22 is the destination (SSH), and `from ALL` describes the source. Swapping these two is the most common ACL-reading mistake, so anchor on direction: inbound traffic's destination is your network, its source is outside.

## Key Takeaways

- The destination port identifies which service or application a packet is being sent to, like port 22 for SSH or port 80 for HTTP.
- Firewalls read the destination port from the packet header and use it in ACL rules to permit or deny traffic (EK 3.4.D.2).
- In a rule like `Allow inbound TCP port 22 from ALL;`, port 22 is the destination port and `from ALL` is the source.
- Source port and destination port are different: source is where traffic comes from, destination is where it's going to.
- ACL rules are checked in order, and the first rule matching the destination port (and other criteria) is the one that executes (EK 3.4.B.2).

## FAQs

### What is a destination port in AP Cybersecurity?

It's the port number a packet is being sent to, which identifies the target service or application, like port 443 for HTTPS. Firewalls use it as a filtering criterion in access control list rules.

### Is the destination port the same as the source port?

No. The source port is where the traffic comes from, and the destination port is where it's headed. In an inbound rule, the destination port is the service on your own network being targeted.

### How do I find the destination port in a firewall rule?

Look for the port number tied to the service. In `Allow inbound TCP port 22 from ALL;`, port 22 is the destination port (SSH), while `from ALL` describes the source. The 'from' part is always the source, so the port being permitted or denied is the destination.

### Why do firewalls filter by destination port?

Because the destination port tells the firewall which service the traffic wants to reach. Blocking destination port 80 stops HTTP traffic, for example, which lets a network administrator allow some services and deny others (EK 3.4.D.2).

### What port numbers should I know for the AP exam?

The illustrative examples use port 22 for SSH and port 80 for HTTP, and 443 for HTTPS is commonly paired with them. Knowing which protocol a destination port maps to helps you read and write ACL rules correctly.

## Related Study Guides

- [3.4 Protecting Networks: Firewalls](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/destination-port#resource","name":"Destination Port — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/destination-port","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/destination-port#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:30.112Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/destination-port#term","name":"destination port","description":"In AP Cybersecurity, the destination port is the logical port number a packet is being sent TO, identifying the service or application it's meant for (like port 22 for SSH or 80 for HTTP). Firewalls use it in access control list rules to allow or deny traffic.","url":"https://fiveable.me/ap-cybersecurity/key-terms/destination-port","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.4, LO 3.4.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.4, LO 3.4.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.4, LO 3.4.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.4, LO 3.4.D"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a destination port in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's the port number a packet is being sent to, which identifies the target service or application, like port 443 for HTTPS. Firewalls use it as a filtering criterion in access control list rules."}},{"@type":"Question","name":"Is the destination port the same as the source port?","acceptedAnswer":{"@type":"Answer","text":"No. The source port is where the traffic comes from, and the destination port is where it's headed. In an inbound rule, the destination port is the service on your own network being targeted."}},{"@type":"Question","name":"How do I find the destination port in a firewall rule?","acceptedAnswer":{"@type":"Answer","text":"Look for the port number tied to the service. In `Allow inbound TCP port 22 from ALL;`, port 22 is the destination port (SSH), while `from ALL` describes the source. The 'from' part is always the source, so the port being permitted or denied is the destination."}},{"@type":"Question","name":"Why do firewalls filter by destination port?","acceptedAnswer":{"@type":"Answer","text":"Because the destination port tells the firewall which service the traffic wants to reach. Blocking destination port 80 stops HTTP traffic, for example, which lets a network administrator allow some services and deny others (EK 3.4.D.2)."}},{"@type":"Question","name":"What port numbers should I know for the AP exam?","acceptedAnswer":{"@type":"Answer","text":"The illustrative examples use port 22 for SSH and port 80 for HTTP, and 443 for HTTPS is commonly paired with them. Knowing which protocol a destination port maps to helps you read and write ACL rules correctly."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 3","item":"https://fiveable.me/ap-cybersecurity/unit-3"},{"@type":"ListItem","position":4,"name":"destination port"}]}]}
```
