Cisco devices have a "running config" in volatile memory and a "startup config" on persistent storage. You can modify the running config without committing the change to the startup config.

Because iptables changes aren't persistent unless you write them to some file that gets loaded at bootup.

Been a long time, but doesn't `write conf` write the config to NVRAM?

If I recall correctly he added a safety net that I setup after doing this a few time.

I'd be SSHd in and restart the rules, then the SSH session would hang. I was actively modifying rules and hey look I was a noobie sysadmin!

I made dumb mistakes back then. I believe that's when I made a catch all rule for my home IP on ssh in and out.

Regardless, thanks Tom!