I like the idea to put bogus ARP entries in _BOTH_ systems - simple and clever. That it appears to have failed is surprising to me - perhaps the systems were rebooted and there was no script to add-back the ARP stuff. That, or perhaps while the two systems are connected to the same switch fabric, they are not in the same _IP_ subnet? In that case, the comms would go through a router and it would be the router's IP to MAC translation being used.
Taking the ARP idea one step higher in the protocol stack, one could also try adding a specific host route on _each_ of the two systems that pointed to some non-existant IP address as a gateway (remember to use a metric of 1 in the route command and add it to the /etc/rc.config.d/netconf file.)
The one drawback to both the ARP and routing hacks is that they only work for IP. They will not preclude link-level (layer 2) connectivity between the two hosts.
The problem with TCP wrappers (and inetd.sec) is that only those things configured to use them will be affected. There will still be TCP, IP and Link-level connectivity between the two systems. Also, ping is not affected by inetd.sec, and I doubt by TCP wrappers.
That takes things back to either ipfilter, or settings in the switches. As there is often an unfortunate "firewalling" of the sysadmins from the network admins, if you are a sysadmin, it may be easier to install and configure ipfilter than to get the network admins to setup whatever the switches can do for MAC address filtering.
there is no rest for the wicked yet the virtuous have no pillows
