Your best friend for file transfer.

Fetch application logoFetch
Fetch Icon Fetch Help > Concepts > Active and Passive FTP

Whenever Fetch retrieves a file list or transfers a file, it has to set up a new connection between your Macintosh and the FTP server. There are two ways it can do this, called active FTP and passive FTP. These aren't really different types of FTP, they're different ways of opening an FTP connection between the FTP client (Fetch) and the FTP server. Sometimes you'll be told to use one or the other, especially with respect to firewalls, routers, and NAT (Network Address Translation) devices. Active FTP is how FTP originally worked; passive FTP was developed to solve problems using active FTP with firewalls and NAT devices.

By default, Fetch uses its Automatic Passive Mode feature to determine whether passive or active FTP will work best for the connection you're using, and you don't have to worry about which to choose — your connection should just work successfully. The Automatic Passive Mode feature is always enabled, you do not have to turn it on.

However, in case Fetch's auto-detection capability doesn't work with your setup, this topic describes the difference between active and passive FTP, how they relate to using FTP with firewalls and NAT devices, when you should use active or passive, and what to do if neither one works. This topic only applies when connecting using FTP; SFTP does not have a notion of active or passive connections.

Ports & Firewalls

Your computer often talks to several different servers over the network simultaneously. For instance, you may be receiving email from one server while loading a webpage from another server, or you may be transferring files using FTP with several different servers.

In order to keep track of all these conversations, called connections, computers assign numbers to each connection. These are called port numbers, or ports for short.

A firewall is hardware or software that attempts to protect computers by preventing computers outside the firewall from starting connections with computers inside the firewall. Generally, your local network is inside, or behind, the firewall, whereas the rest of the Internet is outside the firewall. Firewalls only allow computers inside the firewall to start connections with outside computers. A firewall is like having a telephone system that doesn't accept any incoming calls, but that lets you place outgoing calls. As a result, you can still have conversations with other people, you've just got to be the one who starts them.

Active vs. Passive FTP

To make an FTP connection, the server needs to know on which port to talk to your Macintosh.

In active FTP, which was designed before firewalls were common, Fetch tells the server "this is the port you should talk to me on," and the server attempts to connect to that port. This is like Fetch giving the server a phone number to call your computer at. The firewall blocks incoming calls, so you get an error when trying to open a connection because Fetch never hears from the server.

In passive FTP, Fetch asks the server to pick a port, and then connects to the server on that port. This is like Fetch asking at what phone number it can call the server. Since Fetch makes the call, the firewall allows it, and you are all set to transfer files.

NATs (Network Address Translation) are devices that allows multiple computers to share a single IP address. NAT devices can have issues similar to firewalls with connections coming in from the outside. In fact, some NAT devices also act as firewalls, so passive FTP also works better with NAT devices.

When To Use Passive FTP

Fetch's Automatic Passive Mode feature tries to automatically determine whether it should use passive or active FTP. You do not need to do anything to enable this feature. If the auto-detection does not seem to be working, you should use passive FTP at all times unless you receive an error trying to make a connection and have eliminated all other possible problems (see the Troubleshooting FAQ).

If you are trying to connect to a non-standard FTP port while behind a NAT device, the NAT device may not translate the request properly if you're using active FTP. You should use passive FTP in this case (or switch to connecting with SFTP).

FTP connections using Kerberos from behind a NAT device require that you use passive FTP. Even then, the server may require special changes to support Kerberos from behind a NAT device. Consult your server maintainer if necessary.

When To Use Active FTP

You should use active FTP in the following cases:

  • The FTP server you are trying to connect to does not support passive FTP connections.
  • The FTP server you are trying to connect to is behind a firewall, router, or NAT device itself.

You can tell Fetch to use active FTP for connection by unchecking the Use passive mode transfers preference in the General Preferences pane.

What To Do If Neither Active or Passive FTP Works

In some cases, you may not be able to establish a connection with either active or passive FTP. For example, this may happen if both you and the FTP server are behind firewalls or NAT devices. In this case, you should try the following:

  • Try connecting to the server using SFTP. SFTP works quite a bit differently from FTP and does not have the same problems with firewalls and NAT devices.
  • If your Mac OS X firewall is turned on, try disabling it temporarily. You can configure the firewall to allow an exception for Fetch.
  • Contact the server maintainer and suggest they support passive FTP, or find out why passive FTP might not be working.
  • Contact Fetch support.