I have write me a little firewall with iptables and it works fine. but if I scan my PC he send an ARP-request into the Lan and betray my PC to the scanners PC. I know that he only have to look into his arp-table to find my PC there but I dont wont to give him an reaction on an scan.

How can I configure my System that it send only a ARP-request if the Package pass the firewall.

Assuming the scanner's machine has the IP address $SCANIP, are you sure that: iptables -I INPUT -s $SCANIP -j DROP exhibits the behaviour you describe? Have you really configured your firewall box to be entirely silent towards the scanner's computer? How do you know its IP address in advance? What if she changes it? And an entirely different, but probably more important problem: why are you afraid of your firewall being detected? Isn't it well advertised anyway, being a gateway of some sort? Cheers, Tobias