I opened a pull request at
https://github.com/Whonix/whonix-firewall/pull/7 but was told that the requested change needs to be discussed here first. So, here we go.
Let’s just start off with the commit message from my pull requests:
We want certain related packages to be accepted. In particular,
I’ve run into issues using a VPN in front of a Whonix Gateway. This
because the related Fragmentation Needed packages get dropped:
1780 280.196298 10.137.0.31 → 10.137.0.19 ICMP 590 Destination unreachable (Fragmentation needed)
With those packages not being delivered, a connection can be
established and works fine until a large package is sent. However,
once that happens no more packages can be delivered and the
connection times out after a while.
There is probably also a bunch of other, related packages that
we want to be delivered. ICMP host unreachable comes to mind, for
instance. Without it being delivered, one has to wait for
the connection attempt to timeout.
Note: Related connections appear to have been disabled in
414c2105149e02dcff82303e4c5b2dcd60ebbd29 but with no clear indication to why.
I do think it’s reasonable to adjust the firewall to ensure ICMP Fragmentation Needed packages are delivered. A hop with a lower MTU somewhere in the network should simply not break the network connection, at least in my opinion. Of course, there are other ways to allow Fragmentation Needed packages than just allowing RELATED packages but I’d like to hear any concerns about using this approach first before looking into how those concerns can be addressed.