As far as I can determine, the way that firewalld sets up masquerading completely breaks both ntpd and chrony.
Both servers appears to start, but their corresponding client-side tools, ntpdc or chronyc, cannot talk to them. strace shows that UDP packets to 127.0.0.1 have their source IP address rewritten to the public interface, and the server's response is lost.
This bug with firewalld's masquerading rules was reported back in October, as bug 1152472.
If anyone managed to get either ntpd or chrony fully functional on a server that has firewalld's masquerading enabled, I'd love to know how you did that.