This is the output of netstat -tulpn that I get:
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2055/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2077/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2138/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2060/python
tcp 0 0 0.0.0.0:735 0.0.0.0:* LISTEN 1825/rpc.statd
tcp 0 0 :::111 :::* LISTEN 1781/rpcbind
tcp 0 0 :::80 :::* LISTEN 2624/httpd
tcp 0 0 :::22 :::* LISTEN 2096/sshd
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2398/avahi-daemon:
udp 0 0 0.0.0.0:68 0.0.0.0:* 1581/dhclient
udp 0 0 0.0.0.0:729 0.0.0.0:* 1825/rpc.statd
udp 0 0 0.0.0.0:732 0.0.0.0:* 1825/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2398/avahi-daemon:
udp 0 0 0.0.0.0:631 0.0.0.0:* 2077/cupsd
udp 0 0 :::32769 :::* 2398/avahi-daemon:
udp 0 0 :::684 :::* 1781/rpcbind
udp 0 0 :::5353 :::* 2398/avahi-daemon:
udp 0 0 :::111 :::* 1781/rpcbind
I'm curious to know:
what does ::: in Local Address mean? And what is 0.0.0.0:* and :::* in Foreign Address?
Best Answer
As many of the other answers mention, :: represents all zeros, and then netstat may show a colon after an address, so then you get three colons.
What I didn't see in any of these answers is a response to the question about what that really means (in this case).
In the case of netstat, :: (in IPv6) or 0.0.0.0 (in IPv4) basically means "any".
So, the software is listening on TCP port 80 (the HTTP port) on any of the addresses.
If you have multiple network card interfaces (which you do, as I'll explain in a moment), it is possible for you to listen on only a specific address. For example, with some software, you could do something like make your HTTP server listen on a network card that uses wired Ethernet, but not respond to a network card that uses wireless networking. If you did that, then your computer might do something like listen on IPv4 192.0.2.100:80 (or IPv6 2001:db8:abcd::1234:80).
But, since you're listening to ":::80", your computer isn't listening for port 80 traffic on just one incoming IP address, you're listening for port 80 traffic on any IPv6 address.
Why would you ever want to be picky about which interface you're listening on? Well, one way I've used this capability, sometimes, is to have a computer listen to the loopback interface. (Remember when I said you have multiple network card interfaces... this is one reason I said that. I'm guessing you have a real physical network connection, and that you also have a loopback interface. That is the most typical setup for most types of computers these days.) I do that with SSH tunneling. Then I can do something like make a local VNC viewer connect to the local end of an SSH tunnel. By having the SSH tunnel listen on the loopback interface, I don't need to worry that the SSH tunnel might listen to traffic that comes in from one of the physical network interfaces. So, the SSH tunnel will only see network traffic which comes from my computer.
In some cases, 0.0.0.0 or :: basically means the "unspecified" address, as specified by RFC 4291 section 2.5.2 which says "It indicates the absence of an address." I've sometimes seen this when software tries to refer to an "invalid" address (like if a computer does not have an address assigned, perhaps), where there is no specific address to display. However, in this case, the :: or 0.0.0.0 refers to an "unknown" address. That is why all of the LISTENING ports show as "unknown". For an established connection, you know who the remote end is, because you are communicating with them. For a "LISTENING" connection, you're listening for brand new conversations. That traffic could come from, well, possibly anywhere in the world. Incoming traffic could come from any address. And, the way that nestat displays that is to specify an address of all zeros. Since there is no specific address to use, the "unspecified" address seems quite appropriate.
I'll just wrap up by noting that having software listen on all network interfaces is a very common thing. Some software can be configured to listen to only a specific Internet address, or maybe a specific network card. And that can be a bit more secure, because then the software is not listening where no valid traffic is expected. That might limit an ability to attack. However, a lot of software does not have such an option, or such an option is somewhat buried/hidden. So, listening on all network cards is not a super terrible thing. It's quite common. And, if you want to prevent software from receiving traffic on a specific network port, there are other ways to accomplish that, including blocking unwanted traffic with a firewall. If you do that, the firewall may block the traffic, but the (web) server might still listen for traffic on that network interface. In that case, the server will never get traffic on that interface, but netstat will still report that the server is listening (for that traffic that won't ever reach that server). Seeing netstat report that server software is listening on all interfaces is very common, and so it is not something to be particularly alarmed about.
Lastly, I will mention that this question, and this answer, are not Linux-specific. (I'm mentioning this because I do see the "Linux" tag on this question.) The command line parameters shown, and the example output shown, might have come from Linux, and different operating systems might display things slightly different. However, about the topic of :: and 0.0.0.0, the way that netstat works in this regard is identical on a machine running BSD or Microsoft Windows (and presumably many other systems).