Just keep in mind: You always have to block Incoming traffic at an Interface, so if you want to block traffic from LAN to Opt1 your rule has to be applied to the LAN Interface.
In your scenario I would use some Aliases to get your blacklist function and to keep number of rules low to have a better overview:
at all Interfaces:
block proto any source-ip "blacklistip" source-port any destination-ip any destination-port any
block proto tcp/udp source-ip any sourceport any destination-ip any destination-port "blacklistports"
pass proto any source-ip <interface>subnet sourceport any destination-ip any destination-port any
Needed Aliases for this:
blacklistip - hosts alias with all blocked IPs
blacklistports - ports alias with blocked ports
This way you can simply add your IPs to the blackistip alias or ports to the blacklistports (at least if you want to handle them all the same way). For special needs you can combine ports and hosts aliases or invent more aliases. Try to use the alias system as much as you can. It can simplify things a lot.</interface>