firewalld's --add-masquerade option breaks ntpd, and other things. This has been documented in bug 1152472 as always reproducible, but nobody seems to care.

I do notice a masquerade clause in the documentation for firewalld's "rich language". I was wondering if --add-masquerade's breakage could be worked around by enabling masquerading only for my local lan IP address range.

So I tried:

--remove-masquerade --add-rich-language 'rule family="ipv4" source address="192.168.0.0/24" masquerade'

This doesn't appear to make any difference. traceroutes from the lan to globally-routable IP addresses are blocked by the firewall.

Is there anything missing that needs to be done. firewalld.language man page's description does not offer any clues.