On 2022-06-18, Janne Johansson <icepic...@gmail.com> wrote: > Den lör 18 juni 2022 kl 11:17 skrev Cristian Danila <clau...@postmail.ro>: >> 09:51:40.913795 arp reply 192.168.121.131 is-at 00:0c:29:c3:d9:a7 > > arp is done "outside" of pf, that is why you see the arp exchange. > nmap lists this as "I know things about the hosts" and while it calls > it a "ping scan", it really hasn't got much in common with icmp pings, > but rather does an arp request and says that all hosts that respond > are "up". I'm sure a box can be all kinds of broken and still send out > arp replies, so you have to adapt your expectations of what "up" means > here. (first sentence on 'man nmap' on the part where it says what -sn > does is informative I guess?) > So while you can see an ethernet device with a mac and an IP does > exist on the local network, that is all you get.
Additionally if you disallow ARP, IP won't work at all. You may be able to restrict ARP by using a bridge interface and MAC address filters but it won't be pretty.