Incoming connections are first received by the vela-nfqueue-helper service, which is actually a client module connected to the libnetfilter-queue kernel framework. The nfqueue-helper determines the source and destination zones of the connection, and then tries to find a suitable firewall rule. If the rule points to a packet filtering service, the connection is processed according to Procedure 1.2.1, Handling packet filtering services; if it points to an application-level service, the connection is processed according to Procedure 1.2.2, Handling application-level services. If no suitable rule is found, the connection is rejected.