diff --git a/roles/lmn_fvs/files/pam-exec.sh b/roles/lmn_fvs/files/pam-exec.sh
new file mode 100644
index 0000000..cec702e
--- /dev/null
+++ b/roles/lmn_fvs/files/pam-exec.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+
+if [[ "${PAM_USER}" =~ -exam$ ]]; then
+  systemctl start firewalld.service
+elif ! (users | grep -q -- "-exam"); then
+   systemctl stop firewalld.service
+fi