Why check from the outside?
Running netstat or ss on the server tells you what is listening — not what is reachable. Between your service and the internet sit the OS firewall, cloud security groups, network ACLs and sometimes a NAT router. This checker connects from the public internet, so it validates the entire chain at once.
A quick exposure audit
- Test the ports you expect open (80, 443): they should be “open”
- Test the ports that must stay private (3306, 5432, 6379, 27017): they should be “timeout” or “closed”
- Test SSH (22): ideally restricted by source IP, so “timeout” from here can be a good sign
If a should-be-open port times out, work through our step-by-step port troubleshooting guide.