1 files changed, 22 insertions, 8 deletions

diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 111bc66bc8..462a2b4fc7 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -113,11 +113,18 @@ impl Firewall {
                     .quick(true)
                     .interface(&tunnel.interface)
                     .proto(pfctl::Proto::Tcp)
-                    .keep_state(pfctl::StatePolicy::Keep)
-                    .tcp_flags(Self::get_tcp_flags())
                     .to(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53))
                     .build()?;
                 rules.push(allow_tcp_dns_to_relay_rule);
+                let allow_tcp_dns_from_relay_rule = self
+                    .create_rule_builder(FilterRuleAction::Pass)
+                    .direction(pfctl::Direction::In)
+                    .quick(true)
+                    .interface(&tunnel.interface)
+                    .proto(pfctl::Proto::Tcp)
+                    .from(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53))
+                    .build()?;
+                rules.push(allow_tcp_dns_from_relay_rule);
                 let allow_udp_dns_to_relay_rule = self
                     .create_rule_builder(FilterRuleAction::Pass)
                     .direction(pfctl::Direction::Out)
@@ -129,18 +136,25 @@ impl Firewall {
                 rules.push(allow_udp_dns_to_relay_rule);
 
                 if let Some(ipv6_gateway) = tunnel.ipv6_gateway {
-                    let v6_dns_rule_tcp = self
+                    let allow_tcp_dns6_to_relay_rule = self
                         .create_rule_builder(FilterRuleAction::Pass)
                         .direction(pfctl::Direction::Out)
                         .quick(true)
                         .interface(&tunnel.interface)
                         .proto(pfctl::Proto::Tcp)
-                        .keep_state(pfctl::StatePolicy::Keep)
-                        .tcp_flags(Self::get_tcp_flags())
                         .to(pfctl::Endpoint::new(ipv6_gateway, 53))
                         .build()?;
-                    rules.push(v6_dns_rule_tcp);
-                    let v6_dns_rule_udp = self
+                    rules.push(allow_tcp_dns6_to_relay_rule);
+                    let allow_tcp_dns6_from_relay_rule = self
+                        .create_rule_builder(FilterRuleAction::Pass)
+                        .direction(pfctl::Direction::In)
+                        .quick(true)
+                        .interface(&tunnel.interface)
+                        .proto(pfctl::Proto::Tcp)
+                        .from(pfctl::Endpoint::new(ipv6_gateway, 53))
+                        .build()?;
+                    rules.push(allow_tcp_dns6_from_relay_rule);
+                    let allow_udp_dns6_to_relay_rule = self
                         .create_rule_builder(FilterRuleAction::Pass)
                         .direction(pfctl::Direction::Out)
                         .quick(true)
@@ -148,7 +162,7 @@ impl Firewall {
                         .proto(pfctl::Proto::Udp)
                         .to(pfctl::Endpoint::new(ipv6_gateway, 53))
                         .build()?;
-                    rules.push(v6_dns_rule_udp);
+                    rules.push(allow_udp_dns6_to_relay_rule);
                 }
 
                 rules.push(self.get_allow_relay_rule(peer_endpoint)?);