UFW: allow SSH + Mumble, block everything else

Updated: February 2026

A small private Mumble server should expose very little. The usual baseline is: deny all inbound, allow SSH, and allow UDP 64738 (plus optional TCP 64738).

Don’t lock yourself out: ensure you can access a provider console before tightening firewall rules.

If you’re new to VPS security, start with our Ubuntu VPS hardening checklist.

Assumptions

Ubuntu/Debian server
Mumble listens on 64738/udp (default)
You need SSH access (22/tcp)

1) Install UFW (if needed)

sudo apt update
sudo apt install -y ufw

2) Set safe defaults

sudo ufw default deny incoming
sudo ufw default allow outgoing

3) Allow SSH first

sudo ufw allow OpenSSH
# or: sudo ufw allow 22/tcp

Do this before enabling UFW. Always.

4) Allow Mumble (UDP + optional TCP)

# Required for voice
sudo ufw allow 64738/udp

# Optional TCP fallback
sudo ufw allow 64738/tcp

Also remember: your provider firewall must allow this too. DigitalOcean example: open UDP 64738 in a DigitalOcean firewall.

5) Enable and verify

sudo ufw enable
sudo ufw status verbose

Verification checklist:

You can still SSH in from a second terminal.
Mumble is listening on 64738.
No other inbound ports are open.

ss -lunpt | grep -E ':64738\b' || true

Common mistakes

Forgetting the provider firewall still blocks 64738/udp.
Allowing only TCP 64738 (voice is UDP).
Enabling UFW before allowing SSH.

If it still won’t connect: Mumble server not reachable (UDP blocked) — fix checklist.

Need a Mumble setup with sane firewall posture?

SecureVoice can provision a private server (hosted) or do a fixed-scope BYO‑VPS setup with verification.

See Services →