Somebody outside your house trying to connect in only sees one IP address, which is your router. Your router generally does not allow *incoming* connections without one of your computers requesting it first, and even if it did allow random people to send traffic into your network, there are usually multiple computers in your house and an incoming connection to your router’s publicly-visible IP address would not connect to any single one of your computers in particular. So if anybody wants to connect into your house from outside to reach your (for example) Minecraft server, there are 2 barriers – a security lockout and also, the traffic needs to somehow get routed to your *gaming computer specifically*, not your cell phone or smart lightbulb or whatever other devices are on your network.

Ports are basically traffic that is tagged for use by a specific program or service. When you forward a port you are telling your router 2 things:
1. This specific type of incoming traffic is allowed
2. When you allow this type of traffic, I want it to go to my gaming computer (not my cell phone, etc)

This is a potential security risk because now anybody on the internet can talk to your gaming computer while it would normally be shut off to outside connections. Any Minecraft-related traffic sent to your house will be routed to your gaming computer. Now, because that port is specific to Minecraft (or whatever game) the only program on your computer that will actually accept and interact with that incoming traffic is the game. So random people from outside “shouldn’t” be able to do anything harmful like see all your files or install unwanted software just because you opened a Minecraft-specific port. However, you need to be very sure your game is kept updated and is from a trusted company in the first place. If there is some security vulnerability that would allow somebody to interact with your game and by doing so, get access to the rest of your computer, that would be a risk.

Normally sending things across the internet is like using a set of mailboxes to send and receive mail.

Your computer has 65536 “ports” with numbers. Think of them as letterboxes, mailboxes, etc. each with a number on. When you send a message out to the world (like posting a letter), you put it in a certain number mailbox and it gets sent out to the world. When you receive a message, it has to be addressed to a number, and the message is then put into that mailbox only.

For the majority of home users, you can send mail from any of those numbers. When you do, any reply will come back to the same number mailbox that you sent it from.

Your router/firewall have a thing called a NAT gateway that is clever enough to pass that mail on for you, but also remember what number mailbox you started the conversation from.

So if someone tries to send you something to an mailbox that you HAVEN’T used, the computer/router are smart enough to know that, and they just throw that mail away. You didn’t “start” that conversation, so they know it’s nothing you’ll be interested in.

For instance, say you want to go to Facebook. You send a message to Facebook but you send your “letter” to Facebook from a random number. If Facebook get the message, they only know the address it came from, so they will send their reply back to that same number. Because the numbers match (you spoke to Facebook from that number, and Facebook replied to that number), your router/firewall allow the rest of the conversation to happen.

But if someone comes along and wants to talk to your computer and just picks any number, including the number you spoke to Facebook on, the router/firewall knows that you weren’t having a conversation with them on that number. That’s the number you were using to talk to Facebook, not them. So it refuses the conversation. Similarly, if someone just made up a number, and you’ve not started any conversations from that mailbox, it will just throw any incoming messages to that mailbox away.

This works great, and has many benefits beyond a mild security. But it means that people can’t “just talk” to you without you starting the conversation. For instance if you want to talk to your friend, and both you and your friend use the same system, neither of you can ever start the conversation because the other side will always just ignore it.

In the old days, everyone moaned about NAT and how it worked, because it meant that you couldn’t “just talk” to someone. Now almost every home users on the planet have such a NAT setup in their router. Most webservers, game coordination servers, etc. do *NOT* have a NAT setup. So you can always talk to Facebook, or XBox Live because they want you to start the conversation. But when you’re trying to play with a friend who is also behind NAT, both of you will not let the other side start the conversation, so you have to have some way to “start” the conversation and that means changing your router/firewall slightly.

So what you have is a “port-forward”. This basically says to the firewall “any mail that comes into number 2319, wherever it came from, let me read it on my computer over there”. And your firewall/router will then allow that. Now, one of you can initiate a conversation and once it’s started, both of you will know how to reply and your routers/firewalls will allow it through.

Port-forwarding is generally only required when you’re doing this kind of “hole-punching” in your firewall, and it can be a security risk if the computer that you “allow” to handle those incoming messages is vulnerable. You never really need port-forwarding to do ordinary consumer things like web browse, watch videos, send email, or play through a game co-ordination service like XBox Live or Steam. That’s because the other end WANTS you to start the conversation, so they don’t have a NAT setup (and in the case of Steam, etc. both you and your friend can start the conversation with Steam, and Steam relay the messages between the two of you so that you don’t have to forward any ports). But almost every home and most offices will have a NAT setup.

And most datacentres, companies hosting servers, etc. will either have to configure port-forwarding for the services they want to offer (e.g. web, email, etc.) or do not have a NAT setup at all.

Generally speaking, port-forwarding should be unnecessary for the average user. In fact there are ISPs out there that won’t LET you port-forward, even if you try to. But it’s only when you want to “host services” (i.e. you want to let all messages through and have the OTHER side to initiate the conversation) that you ever need to do it.

In work I host websites, so I have to “port-forward” port 80 (which is the HTTP web port) and port 443 (HTTPS) to my webserver. Now anyone in the world can talk to my webserver, even though there’s a firewall between us. This could be dangerous. You’re basically opening up holes in your firewall.

For the most part, port-forwarding should be entirely unnecessary these days, and if you don’t understand when you need it and when you don’t, then I would suggest that you shouldn’t be forwarding ports at all. As an IT manager, I refuse port-forwards on my networks unless someone has a really good reason for them, AND we can justify it from a security point of view.

If you want to host, say, a Minecraft server from your home PC, then it’s possible you’ll need to “forward” the Minecraft port to the address of your home PC. What you’re doing it when that happens is that you’re cutting a small hole in your firewall to allow the entire Internet to talk to your Minecraft server.

For everything else – including the vast, vast, vast, vast, vast majority of games etc. that you’ll ever play, port-forwarding isn’t needed. And there’s something called UPNP which is like an “automatic” port-forwarding, which is both dumb, insecure and dangerous. It’s also entirely unnecessary (I’m a massive gamer, and host many IT services, and I disable UPNP on all my routers and networks, personal and professional). UPNP is like having your computer shoot holes in your firewall whenever it feels like it.