pfSense XML Configuration File

pfSense firewalls store all of their settings in an XML format configuration file. All configuration settings including settings for packages are held in this one file. All other configuration files for system services and behavior are generated dynamically at run time based on the settings held within the XML configuration file.

Those familiar with FreeBSD and related operating systems have found this out the hard way, when their changes to system configuration files were repeatedly overwritten by the firewall before they came to understand that pfSense handles everything automatically.

Most people will never need to know where the configuration file resides, but for reference it is in /cf/conf/config.xml. Typically, /conf/ is a symlink to /cf/conf, so it may also be accessible directly from /conf/config.xml, but this varies by platform and filesystem layout.

Manually editing the configuration

A few configuration options are only available by manually editing the configuration file, though this isn’t required in the vast majority of deployments. Some of these options are covered in other parts of this book.


Even for seasoned administrators it is still easy to incorrectly edit the configuration file. Always keep backups and be aware that breaking the configuration will result in unintended consequences.

The safest and easiest method of editing the configuration file is to make a backup from Diagnostics > Backup/Restore, save the file to a PC, edit the file and make any needed changes, then restore the altered configuration file to the firewall. Use an editor that properly understands UNIX line endings, and preferably an editor that has special handling for XML such as syntax highlighting. Do not use notepad.exe on Windows.

For administrators familiar with the vi editor, the viconfig command will edit the running configuration live, and after saving and quitting the editor, the firewall will remove the cached configuration from /tmp/config.cache and then the changes will be visible in the GUI. The changes will not be active until the next time the service relevant to the edited portion of the config is restarted/reloaded.