The most promising route is to check the configuration file of your update program to use passive ftp, thus avoiding the problem in the first place.
If this is not possible:
I don't know gShield, but it seems it uses iptables.
iptables can be instructed to let related
connections back in. You might find an iptables rule containing "--state ESTABLISHED,RELATED -j ACCEPT".
In order to determine what a "related" connection is, the modules ip_conntrack
must be loaded.
This module listens in to the conversation between your program and the ftp server and determines what ports will be used. It then opens these ports.
The simplest way of loading these modules is a
at the beginning of the firewall script. But I don't know how to tell gShield to do that.
There is another pitfall. If the ftp server does not
use the standard ftp port (21), the module will miss that conversation and will not open the ports.
In short, try to find the "passive ftp" setting in the update program