You enumerate the features of the workstation.
These are Whonix features, not Whonix-Workstation specific features.
it would be good to have some more transparency on the gateway about stuff that gets blocked on it by the firewall in the general case.
Whonix-Gateway doesn't know if a Whonix-Default-Workstation or a Whonix-Custom-Workstation is being used. Best you could do is comment in the out commented log commands in Whonix-Gateway's firewall and watch the log. There is no /etc/whonix_firewall.d option for that yet but one could easily added if that was of any help. I doubt it will help, because what's logged in the firewall log, didn't leak. It was once useful when developing the firewall to see if everything works or if anything gets blocked which shouldn't be blocked. Also reading the log requires quite some knowledge about networking. Maybe there are any fancy graphical user interfaces making that a bit simpler to grasp.
Notice that it only mentions few basic network settings.
Which is the most important thing. Once you've set up the Whonix-Custom-Workstation to only have one network card which is only connected by an internal network ("Whonix") to Whonix-Gateway, there can't be any leaks. That's what I was talking about above as well.
Perhaps, as a first step, it could be improved to mention a minimum set of restricting, OS agnostic firewall rules that should be applied to the workstation.
A Whonix-Default/Custom-Workstation firewall is of limited use. Not zero, but limited. See Design Notes here:
The idea is that we have to worry less about let's say UDP leaks through the gateway if we configure the workstation behind it (not necessarily the whonix workstation, which is configured properly) to explicitly block outgoing UDP.
Whonix-Default-Workstation isn't configured by default to block UDP.
Whonix-Gateway blocks all UDP other than port 53 (DNS) traffic, which is forwarded to Tor’s DnsPort. (Unless you disable WORKSTATION_TRANSPARENT_DNS in /etc/whonix_firewall.d/.)
No help from Whonix-Default/Custom-Workstation required to prevent UDP leaks. Not requiring this, i.e. not requiring to trust Whonix-Default/Custom-Workstation is one of the most basic designs in Whonix.
So, the question becomes this: if the workstation has a default DROP policy for all network data,
what's a minimum set of ACCEPT rules to make it functional through the whonix gateway?
Depends on how much functionality you want. You could block everything except connections to TCP-only IP 192.168.0.10 port 9100 and then use that Tor SocksPort with Tor Browser.
Just by analogy with the rest of network settings mentioned there: it tells what IP to set, what gateway address, what DNS server, could do the same for firewall rules.
The thing I could imagine adding there would be "Experts can have a look here:
And consider applying this to the Whonix-Custom-Workstation.". I don't reserve a lot time to discuss Whonix-Workstation's firewall. It is one of the less important things to improve security.
That https://www.whonix.org/wiki/Other_Operating_Systems article is too difficult anyway. Too few people are able to properly set up an operating system with all the features which a Whonix-Custom-Workstation has. Saying “Your responsibility to …” in the table (https://www.whonix.org/wiki/Other_Operating_Systems#Table) is more than non-ideal. I think things like secure network time synchronization are crucial. But how does one set that up on a Whonix-Custom-Ubuntu/Fedora/BSD-Workstation? I guess very few bother to extract the missing pieces from Whonix’s source code. I think time is better spend on other tickets (https://github.com/Whonix/Whonix/issues) such “as splitting Whonix into smaller packages” (https://github.com/Whonix/Whonix/issues/40). When that was implemented, installing the missing pieces such as sdwdate could be simpler if it was possible to run “sudo apt-get install sdwdate”.