diff --git a/doc/ports.md b/doc/ports.md
new file mode 100644
index 0000000000000000000000000000000000000000..c938a583fe462f53af98a35d167775ecd536fff4
--- /dev/null
+++ b/doc/ports.md
@@ -0,0 +1,39 @@
+# Usage of TCP ports
+
+The list of TCP ports used in SOCtools, as available from the outside:
+
+## Web interfaces
+
+| port  | description |
+| ----: | ----------- |
+|  5601 | Kibana |
+|  6443 | MISP |
+|  8888 | haproxy-stats (login: `haproxy`, password is in `secrets/passwords/haproxy`)
+|  9000 | TheHive |
+|  ??   | Cortex |
+|  9443 | NiFi web GUI |
+| 12443 | Keycloak |
+
+TODO others?
+TODO open to anyone / local only?
+
+## Data ingestion
+
+The following port ranges are opened by haproxy to allow receiving data from external systems. These ports are forwarded to NiFi nodes. So, a processor in NiFi can listen on these ports and receive data from other systems.
+
+TODO
+
+Notes: According to haproxy.cfg, the followng ports are forwarded to NiFi:
+- 7750-7760 (tcp)
+- 7771 (tcp)
+- 5000-5020 (http)
+- 6000-6020 (tcp)
+In fact, I can connect (using `nc`) to these ports 7750, 5000-5099, 6000-6099 (i.e. not 7751-7760, 7771; on the other hand, the 50??,60?? ranges are wider, I don't know where they are pointed to).
+
+
+Ports already used or reserved for ingesting specific data into the system via NiFi:
+
+| port  | description |
+| ----: | ----------- |
+
+TODO (e.g. port(s) used for preconfigured ListenBeats data)