diff --git a/components/ufw.yml b/components/ufw.yml
index 3ceaeeed9064..b79ffaafd565 100644
--- a/components/ufw.yml
+++ b/components/ufw.yml
@@ -10,6 +10,9 @@ rules:
- service_ufw_enabled
- set_ufw_default_rule
- set_ufw_loopback_traffic
+- ufw_default_incoming_rule
+- ufw_default_outgoing_rule
+- ufw_disabled_routed
- ufw_only_required_services
- ufw_rate_limit
- ufw_rules_for_open_ports
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh
new file mode 100644
index 000000000000..02030a017bf6
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny incoming
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml
new file mode 100644
index 000000000000..0de9a6969b80
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml
@@ -0,0 +1,21 @@
+
+
+ {{{ oval_metadata("Ensure ufw default incoming policy is deny or reject", rule_title=rule_title) }}}
+
+
+
+
+
+
+
+
+
+
+ /etc/default/ufw
+ ^DEFAULT_INPUT_POLICY="(DROP|REJECT)"$
+ 1
+
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml
new file mode 100644
index 000000000000..8c325df91d9d
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Deny Policy for Incoming Connections'
+
+description: |-
+ A default deny policy on incoming connections ensures that any unconfigured
+ inbound network traffic will be rejected.
+ Set DEFAULT_INPUT_POLICY to DROP or REJECT
+ in /etc/default/ufw.
+
+ Note: Any port or protocol without an explicit allow before the default
+ deny will be blocked.
+
+rationale: |-
+ With a default accept policy the firewall will accept any incoming packet
+ that is not configured to be denied. It is easier to allow acceptable
+ usage than to block unacceptable usage.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for incoming connections is not set to deny or reject'
+
+ocil: |-
+ Run the following command and verify that the default policy for incoming
+ connections is deny or reject:
+ # ufw status verbose | grep Default:
+ Example output:
+ Default: deny (incoming), ...
+
+warnings:
+ - general: |-
+ Changing firewall settings while connected over network can
+ result in being locked out of the system.
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh
new file mode 100644
index 000000000000..22b41f3fbd6c
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/allow.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default allow incoming
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh
new file mode 100644
index 000000000000..7f50e33bad11
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/deny.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default deny incoming
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh
new file mode 100644
index 000000000000..37a33f07300e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/tests/reject.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default reject incoming
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh
new file mode 100644
index 000000000000..7e8b8edb4ff9
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny outgoing
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml
new file mode 100644
index 000000000000..c1364e3e8fb3
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/oval/shared.xml
@@ -0,0 +1,21 @@
+
+
+ {{{ oval_metadata("Ensure ufw default outgoing policy is deny or reject", rule_title=rule_title) }}}
+
+
+
+
+
+
+
+
+
+
+ /etc/default/ufw
+ ^DEFAULT_OUTPUT_POLICY="(DROP|REJECT)"$
+ 1
+
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml
new file mode 100644
index 000000000000..ae18072657b3
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Deny Policy for Outgoing Connections'
+
+description: |-
+ A default deny policy on outgoing connections ensures that only explicitly
+ allowed outbound network traffic will be permitted.
+ Set DEFAULT_OUTPUT_POLICY to DROP or REJECT
+ in /etc/default/ufw.
+
+ Note: Any port or protocol without an explicit allow before the default
+ deny will be blocked.
+
+rationale: |-
+ With a default accept policy the firewall will allow any outgoing packet
+ that is not configured to be denied. Restricting outgoing traffic reduces
+ the risk of data exfiltration and limits the impact of a compromised host.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for outgoing connections is not set to deny or reject'
+
+ocil: |-
+ Run the following command and verify that the default policy for outgoing
+ connections is deny or reject:
+ # ufw status verbose | grep Default:
+ Example output:
+ Default: ..., deny (outgoing), ...
+
+warnings:
+ - general: |-
+ Changing firewall settings while connected over network can
+ result in being locked out of the system.
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh
new file mode 100644
index 000000000000..2044da9f0199
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/allow.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default allow outgoing
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh
new file mode 100644
index 000000000000..ea3bf04041cb
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/deny.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default deny outgoing
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh
new file mode 100644
index 000000000000..c4deef415348
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/tests/reject.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = ufw
+
+ufw allow ssh
+ufw default reject outgoing
+ufw -f enable
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh
new file mode 100644
index 000000000000..17330f3df230
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny routed
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml
new file mode 100644
index 000000000000..865a40672089
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml
@@ -0,0 +1,21 @@
+
+
+ {{{ oval_metadata("Ensure ufw default routed policy is disabled or deny", rule_title=rule_title) }}}
+
+
+
+
+
+
+
+
+
+
+ /etc/default/ufw
+ ^DEFAULT_FORWARD_POLICY="(DROP|REJECT)"$
+ 1
+
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml
new file mode 100644
index 000000000000..64b47612ec1e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Policy for Routed (Forwarded) Traffic is Disabled'
+
+description: |-
+ The default policy for routed (forwarded) traffic in ufw should be set to
+ disabled or deny, ensuring that the system does not forward packets between
+ interfaces unless explicitly configured to do so.
+
+rationale: |-
+ Unless the system is intended to act as a router, forwarding traffic between
+ network interfaces should be disabled. Disabling the routed default policy
+ prevents the system from accidentally or maliciously forwarding traffic.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for routed traffic is not set to disabled or deny'
+
+ocil: |-
+ Run the following command and verify that the default policy for routed
+ traffic is disabled or deny:
+ # ufw status verbose | grep Default:
+ Example output:
+ Default: ..., disabled (routed)
+
+warnings:
+ - general: |-
+ Changing firewall settings while connected over network can
+ result in being locked out of the system.