It was meant to be this way.
The kernel gets packets which may destined to your host or to another hosts. If your machine is not routing (there are no routing tables for other networks/hosts) or IP forwarding is turned off, then netfilter won't see those packets. If it did otherwise, then suddendly netfilter would have to process each one :s
Raw sockets don't listen to any port, they just tell the kernel that they would like to see all traffic, nothing more. Note that raw sockets will see packets dropped by netfilter too.
If you'd want to "fix" it, setup your machine as a router on your LAN.
Anyway, those packets would never reach any service on your machine and, if you're not routing, they won't reach other hosts either. The only security breach is the fact that these sniffers run as root, and there have been many overflows on the protocols handlers which they use. I never use ethereal for this fact, and tcpdump too has its dangers
Anyway, if you wanna try something with these packets, you could setup some bpf rules as used by libpcap that could filter some traffic. What you're trying to do anyway?