No prob. I believe FTP clients open 2 ports, 1 out and 1 in (control and data, IIRC).
Your shell login is likely running on a box that will allow the return port to be opened. The web server box (the one running your script), is likely behind a firewall that won't allow the return (data) port to open. You however are succeeding in logging in via the already open control port.
If I missed badly others should correct me :), but it sounds good eh?
Update: Beatnik followed up by pointing out to me more specifically that port (20), the traditional active FTP data port on the ftp server, may be blocked, while port (21), the traditional ftp control channel, may not be.