Incoming connections are first received by the kzorp kernel module, which is actually a netfilter table. The kzorp module determines the source and destination zones of the connection, and then tries to find a suitable firewall rule. If the rule points to a packet filtering service, the connection is processed according to Procedure 1.2.1, Handling packet filtering services; if it points to an application-level service, the connection is processed according to Procedure 1.2.2, Handling application-level services. If no suitable rule is found, the connection is rejected.