The Untangle NGFW architecture includes a kernel—Untangle VM (UVM)—and apps.
Untangle NGFW itself runs on the UVM; thus, any traffic directed to Untangle NGFW local services (such as the administration console) will be processed on the UVM. In addition, unlike other Linux products, the network processes (such as routing, NATing, and so on) are done on the UVM and not the kernel.
Untangle applications run on the UVM. When traffic comes to the Untangle NGFW server, the packets' stream will be endpointed on the UVM and reconstructed at layer 7 (the application layer). The data then flows through the applications for scanning, and if passed, the data is eventually put back into new packets and sent on its way.
So, the possible actions that can be done on incoming streams are as follows:
Incoming streams can be bypassed at the kernel level (the traffic will be forwarded to its destination without scanning)
Incoming streams can be dropped at the kernel...