Update! Turns out it was neither arp nor upstream: the new machine has a new major release of IPFilter, and while it accepted my old rules without errors or warnings, it interpreted them rather differently. Since I already don't have any listening ports that I don't want, disabling IPFilter restores normal network operation until I can update the filter rules for a second layer of protection.