pfSense XML Config Parser

I've just had cause to perform a security audit on a pfSense firewall. It would have been easiest if they had been able to give me read only access to the Web based interface and let me poke about there. But this was not possible operationally, so I had to make do with a copy of the /conf/config.xml file. I wrote a (very) simple parser that made it a little easier to read. You can take this output and manipulate it easily using standard Unix tools such as grep, awk et al.

Here is version 0.1 of the code in case it's of use to someone else. The output is not pretty, it's not refined. It doesn't have much error trapping and it might not work perfectly with all config files. But hey, it's a start.

The file is also attached at as a downloadable perl script below.

#!/usr/bin/perl
use XML::Simple;

print "\n";
print "---- pfSense XML Config File to Greppable Text v0.1 ----\n";
print "---- by daemonchild ----\n";
print "---- http://www.daemonchild.com ----\n";

$num_args = $#ARGV + 1;
if ($num_args != 1) {
print "\nUsage: pfsensexml.pl filename.xml\n";
exit;
}

$filename = $ARGV[0];

unless (-e $filename) {
print "Hmm. I can't find your XML config file $filename\n";
exit;
}

# Create XML Object
$xml = new XML::Simple;
# Read XML File
$data = $xml->XMLin($filename);

# access XML data

print "\n\n---- Filter Rules ----\n";

print "Rule\tSource\t\tDestination\tService\tAction\tInterface\n";
$counter = 0;

foreach my $myRule (@{$data->{filter}->{rule}}) {

$counter++;

$mySource = $myRule->{source}->{address};
$myDest = $myRule->{destination}->{address};
$myService = $myRule->{destination}->{port};
$myProtocol = $myRule->{protocol};
$myAction = $myRule->{type};
$myIF = $myRule->{interface};

print "F$counter\t$mySource\t$myDest\t$myService/$myProtocol\t$myAction\t$myIF\n";

}

print "\n\n---- Outbound NAT Rules ----\n";

print "Rule\tSource\t\tDestination\t\tInterface\n";
$counter = 0;

foreach my $myRule (@{$data->{nat}->{advancedoutbound}->{rule}}) {

$counter++;

$mySourceN = $myRule->{source}->{network};
$mySourceA = $myRule->{source}->{address};
$mySourceY = $myRule->{source}->{any};
$myDestN = $myRule->{destination}->{network};
$myDestA = $myRule->{destination}->{address};
$myDestY = $myRule->{destination}->{any};
$myIF = $myRule->{interface};

print "N$counter\t$mySourceA$mySourceN$mySourceAny\t$myDestA$myDestN$myDestAny\t\t$myIF\n";

}

print "\n\n---- One2One NAT Rules ----\n";

print "Rule\tInternal\t\tExternal\t\tInterface\n";
$counter = 0;

foreach my $myRule (@{$data->{nat}->{onetoone}}) {

$counter++;

$myExternal = $myRule->{external};
$myInternal = $myRule->{source}->{address};
$myIF = $myRule->{interface};

print "O$counter\t$myInternal\t$myExternal\t$myIF\n";

}