pfSense XML Configuration File¶
pfSense firewalls store all of their settings in an XML format configuration file. All configuration settings including settings for packages are held in this one file. All other configuration files for system services and behavior are generated dynamically at run time based on the settings held within the XML configuration file.
Those familiar with FreeBSD and related operating systems have found this out the hard way, when their changes to system configuration files were repeatedly overwritten by the firewall before they came to understand that pfSense handles everything automatically.
Most people will never need to know where the configuration file resides, but
for reference it is in
/conf/ is a
/cf/conf, so it may also be accessible directly from
/conf/config.xml, but this varies by platform and filesystem layout.
Manually editing the configuration¶
A few configuration options are only available by manually editing the configuration file, though this isn’t required in the vast majority of deployments. Some of these options are covered in other parts of this book.
Even for seasoned administrators it is still easy to incorrectly edit the configuration file. Always keep backups and be aware that breaking the configuration will result in unintended consequences.
The safest and easiest method of editing the configuration file is to make a
backup from Diagnostics > Backup/Restore, save the file to a PC, edit the
file and make any needed changes, then restore the altered configuration file to
the firewall. Use an editor that properly understands UNIX line endings, and
preferably an editor that has special handling for XML such as syntax
highlighting. Do not use
notepad.exe on Windows.
For administrators familiar with the
vi editor, the
will edit the running configuration live, and after saving and quitting the
editor, the firewall will remove the cached configuration from
/tmp/config.cache and then the changes will be visible in the GUI. The
changes will not be active until the next time the service relevant to the
edited portion of the config is restarted/reloaded.